CVE-2026-27837: dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing __proto__ at any position other than the first.
Both dottie.set() and dottie.transform() are affected.
References
- github.com/advisories/GHSA-4gxf-g5gf-22h4
- github.com/advisories/GHSA-r5mx-6wc6-7h9w
- github.com/mickhansen/dottie.js
- github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
- github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
- nvd.nist.gov/vuln/detail/CVE-2026-27837
Code Behaviors & Features
Detect and mitigate CVE-2026-27837 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →