CVE-2026-48170: scimPatch vulnerable to prototype pollution via unfiltered keys in patch

June 22, 2026

scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "__proto__.someProp". After one such patch, Object.prototype.someProp is set process-wide, affecting every plain object in the Node process.

Any service that calls scimPatch() on attacker-controlled JSON (i.e. any SCIM endpoint accepting PATCH from an external IdP) is exploitable on a stock Node runtime.

References

github.com/advisories/GHSA-9m6g-wc8r-q59c
github.com/thomaspoignant/scim-patch/commit/260f9cd2ac5ceac3976978850bb47dcb391720f6
github.com/thomaspoignant/scim-patch/security/advisories/GHSA-9m6g-wc8r-q59c
nvd.nist.gov/vuln/detail/CVE-2026-48170

Code Behaviors & Features

Detect and mitigate CVE-2026-48170 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →