{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27837", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.801Z", "datePublished": "2026-02-26T00:19:24.289Z", "dateUpdated": "2026-02-26T14:40:07.451Z"}, "containers": {"cna": {"title": "Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w"}, {"name": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14", "tags": ["x_refsource_MISC"], "url": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14"}, {"name": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4"}], "affected": [{"vendor": "mickhansen", "product": "dottie.js", "versions": [{"version": ">= 2.0.4, < 2.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:19:24.289Z"}, "descriptions": [{"lang": "en", "value": "Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability."}], "source": {"advisory": "GHSA-r5mx-6wc6-7h9w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:40:01.145738Z", "id": "CVE-2026-27837", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:40:07.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27837", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:40:01.145738Z"}}}], "references": [{"url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:39:49.575Z"}}], "cna": {"title": "Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()", "source": {"advisory": "GHSA-r5mx-6wc6-7h9w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mickhansen", "product": "dottie.js", "versions": [{"status": "affected", "version": ">= 2.0.4, < 2.0.7"}]}], "references": [{"url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w", "name": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14", "name": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4", "name": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:19:24.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27837", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:40:07.451Z", "dateReserved": "2026-02-24T02:32:39.801Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:19:24.289Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dottie_project:dottie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FF86BC0C-9F05-4A84-95F1-40400ECB4DA8", "versionEndExcluding": "2.0.7", "versionStartIncluding": "2.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability."}], "id": "CVE-2026-27837", "lastModified": "2026-02-28T00:58:17.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T01:16:24.937", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass", "id": "2442905", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442905"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-915", "details": ["A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protection by placing '__proto__' at any position other than the first in a dot-separated path. This vulnerability affects the `dottie.set()` and `dottie.transform()` functions. Successful exploitation can lead to unauthorized modification of object properties, potentially causing unexpected application behavior, information disclosure, or denial of service."], "name": "CVE-2026-27837", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Not affected", "package_name": "openshift-sandboxed-containers/osc-pccs", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-remediations-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-02-26T00:19:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27837\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27837\nhttps://github.com/advisories/GHSA-4gxf-g5gf-22h4\nhttps://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14\nhttps://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.4,2.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dottie.js", "source": "cna", "vendor": "mickhansen"}, "product": "dottie.js", "vendor": "mickhansen"}], "analysis": {"en": {"generated_at": "2026-04-18T19:34:45.921304+00:00", "value": {"mitigation_remediation": ["Upgrade to dottie.js v2.0.7 or newer to apply the complete fix", "Sanitize any user\u2011supplied path strings before calling dottie.set() or dottie.transform(), removing or escaping \"__proto__\" segments that appear beyond the first component", "Restrict calls to dottie.set() and dottie.transform() to trusted, internal data rather than public or untrusted input"], "summary": {"action": "Apply patch", "impact": "Prototype Pollution"}, "threat_synthesis": {"affected_systems": "The issue affects the dottie.js library maintained by mickhansen. Versions 2.0.4 through 2.0.6 contain the incomplete fix and are vulnerable. Version 2.0.7 and later contain an updated fix that removes the flaw. Applications that embed these specific Node.js module versions, especially those that rely on user\u2011supplied dot\u2011path strings, are at risk.", "description_and_impact": "Dottie.js provides nested object access through dot\u2011separated paths. A bug in a defensive guard added in a previous patch only inspects the first segment of such a path, allowing an attacker to insert \"__proto__\" in any other segment and cause prototype pollution. This changes shared prototypes and can alter the behavior of other objects that rely on them. The vulnerability is classified under CWE\u20111321 (Prototype Pollution) and CWE\u2011915 (Implicit Type Conversion).", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low but non\u2011zero chance of exploitation. The vulnerability is not listed in CISA's KEV catalog, so no widespread known exploitation has yet been reported. The most likely attack vector is any code path that passes user\u2011supplied or untrusted dot\u2011separated paths to dottie.set() or dottie.transform(), enabling an attacker to manipulate prototypes that other code may later use."}}}}, "created": "2026-02-26T13:10:22.941020+00:00", "updated": "2026-04-18T19:45:08.960200+00:00", "vendors": ["mickhansen", "mickhansen$PRODUCT$dottie.js"]}