DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1774: The King's Keys: Dethroning @casl/ability via Prototype Pollution

#security #cve #cybersecurity

The King's Keys: Dethroning @casl/ability via Prototype Pollution

Vulnerability ID: CVE-2026-1774
CVSS Score: 9.8
Published: 2026-02-10

A critical Prototype Pollution vulnerability in the popular authorization library @casl/ability allows attackers to corrupt the Object prototype. By supplying malicious rule conditions, an attacker can bypass security checks, cause Denial of Service, or potentially achieve Remote Code Execution (RCE) in Node.js environments.

TL;DR

The bouncer is drunk. @casl/ability versions < 6.7.5 contain a flaw in the setByPath utility that allows writing to __proto__. This enables attackers to pollute the global Object prototype, turning a library meant for restricting access into a tool for granting total control.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • CVSS Score: 9.8 (Critical)
  • EPSS Score: 0.00022 (Low Probability)
  • Exploit Status: PoC Available
  • Impact: RCE / DoS / Auth Bypass

Affected Systems

  • @casl/ability < 6.7.5
  • Node.js applications using CASL for dynamic permission rules
  • Frontend applications storing CASL rules in local state
  • @casl/ability: >= 2.4.0 < 6.7.5 (Fixed in: 6.7.5)

Code Analysis

Commit: 39da920

fix: potential prototype pollution in rulesToFields

+ const FORBIDDEN_PROPERTIES = new Set(['__proto__', 'constructor', 'prototype']);
- ref = keys.reduce((res, prop) => {
+ ref = keys.reduce((res, prop) => {
+   if (FORBIDDEN_PROPERTIES.has(prop)) return res;
    res[prop] = res[prop] || {};
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Patch includes regression test case serving as PoC

Mitigation Strategies

  • Update @casl/ability to version 6.7.5 or higher.
  • Implement deep validation on all user-supplied JSON structures.
  • Use 'Object.freeze(Object.prototype)' in the application entry point to prevent modification of the global prototype.
  • Switch to using 'Map' data structures for storage where keys are user-controlled.

Remediation Steps:

  1. Identify vulnerable dependency: 'npm ls @casl/ability'
  2. Update package: 'npm update @casl/ability'
  3. Verify version: Ensure installed version is >= 6.7.5
  4. Run regression tests to ensure authorization logic remains intact.

References

Read the full report for CVE-2026-1774 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)