GHSA-2cjr-5v3h-v2w4: Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations

April 22, 2026

A prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype.

References

github.com/EvoMap/evolver
github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4
github.com/advisories/GHSA-2cjr-5v3h-v2w4

Code Behaviors & Features

Detect and mitigate GHSA-2cjr-5v3h-v2w4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →