GHSA-w48f-fwg7-ww6p: @stablelib/cbor: Prototype poisoning via `proto` map keys in CBOR decoding

April 4, 2026 (updated April 7, 2026)

@stablelib/cbor decodes CBOR maps into ordinary JavaScript objects and assigns attacker-controlled keys directly onto those objects. A CBOR map key named __proto__ therefore changes the prototype of the decoded object instead of becoming an ordinary data property.

References

github.com/StableLib/stablelib
github.com/StableLib/stablelib/commit/0f153a63b7552a0e8721f640984113e419015026
github.com/StableLib/stablelib/security/advisories/GHSA-w48f-fwg7-ww6p
github.com/advisories/GHSA-w48f-fwg7-ww6p

Code Behaviors & Features

Detect and mitigate GHSA-w48f-fwg7-ww6p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →