CVE-2026-55091: flat-to-nested: Prototype pollution in flat-to-nested convert() via proto parent/id key

June 19, 2026

convert() builds the nested tree by using each flat record’s id and parent field values directly as object keys, with no guard against __proto__ / constructor / prototype. A record whose parent is the string "__proto__" makes temp[parent] resolve to Object.prototype, and the following initPush(...) writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to convert() is affected, and the base prototype methods stay intact so the pollution is stealthy.

References

github.com/advisories/GHSA-hp36-v28f-w3r4
github.com/joaonuno/flat-to-nested-js/commit/680a5ebe1194edda16fa93baaa56ff14fe0e3d7f
github.com/joaonuno/flat-to-nested-js/security/advisories/GHSA-hp36-v28f-w3r4
nvd.nist.gov/vuln/detail/CVE-2026-55091

Code Behaviors & Features

Detect and mitigate CVE-2026-55091 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →