{"vuid":"VU#458422","idnumber":"458422","name":"CASL Ability contains a prototype pollution vulnerability","keywords":null,"overview":"### Overview\r\nA prototype pollution vulnerability present in CASL Ability versions 2.4.0 through 6.7.4 is triggered through the `rulesToFields()` function in the `extra` module. The program’s library contains a method called `setByPath()` that does not properly sanitize property names, allowing attackers to add or modify properties on an object’s prototype.\r\n\r\n### Description\r\nThe CASL library provides a robust suite for managing attribute-based access control across various components, services, and queries. Access control is defined with a set of rule conditions. The library provides a set of default values for these conditions.\r\n\r\nIn JavaScript libraries like CASL, prototypes are template objects that serve as blueprints and inform the properties of their child objects. By exploiting this prototype pollution vulnerability, an attacker can inject arbitrary properties into global object prototypes, thereby affecting all child objects that inherit from them. The issue arises from a flaw in the `setByPath()` function, a component of the `rulesToFields()` function in the `extra` module.\r\n\r\nThe `setByPath()` function is intended to safely update only permitted fields; however, it fails to properly sanitize path segments before using them as object property keys. Consequently, special property names such as `prototype` and `constructor` are accepted as valid keys, allowing an attacker to modify the properties of object prototypes and constructor classes. Furthermore, the `_proto_` special property can be used to traverse the prototype chain and ultimately write to `Object.prototype`, the root prototype of all objects. By polluting `Object.prototype`, an attacker can add arbitrary properties to all objects and compromise the prototype chain throughout the Node.js process. \r\n\r\n### Impact\r\nAs `Object.prototype` is the root prototype that all JavaScript objects inherit from, changes to its properties can be significant, allowing an attacker to execute arbitrary code and potentially leading to a complete system compromise. Additionally, an attacker can bypass intended authorization logic, allowing unauthorized access to sensitive resources. Furthermore, changes to `Object.prototype` can cause unintended behavior in application code, leading to logic manipulation and potentially allowing an attacker to perform actions that would normally be restricted.\r\n\r\nManipulating properties in `Object.prototype` can also cause crashes or unexpected behavior if polluted properties do not match expected types in the application code, leading to a denial of service. Overall, the `Object.prototype` pollution vulnerability poses a significant risk to applications and systems. Because the vulnerability exists in the CASL library, which is used by multiple applications and services, a single exploit can have a ripple effect, compromising multiple systems and potentially leading to a widespread security breach.\r\n\r\n### Solution\r\nUsers of the library should upgrade to version 6.7.5  or later, found at https://github.com/stalniy/casl/tree/master/packages/casl-ability.\r\n\r\n### Acknowledgements\r\nThanks to Maor Caplan from the Alma Security for coordinating the disclosure of this vulnerability. This document was written by Ayushi Kriplani and Dr. E. Drennan, CISSP.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/stalniy/casl/tree/master/packages/casl-ability","https://cwe.mitre.org/data/definitions/1321.html","https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution"],"cveids":["CVE-2026-1774"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-02-10T15:14:08.794766Z","publicdate":"2026-02-10T15:14:08.596718Z","datefirstpublished":"2026-02-10T15:14:08.814831Z","dateupdated":"2026-02-10T15:14:08.596713Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":174}