DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2CJR-5V3H-V2W4: GHSA-2CJR-5V3H-V2W4: Prototype Pollution via Insecure Object.assign in Evolver Mailbox Store

#security #cve #cybersecurity #ghsa

GHSA-2CJR-5V3H-V2W4: Prototype Pollution via Insecure Object.assign in Evolver Mailbox Store

Vulnerability ID: GHSA-2CJR-5V3H-V2W4
CVSS Score: 5.3
Published: 2026-04-22

The @evomap/evolver npm package contains a prototype pollution vulnerability in its mailbox persistence logic. Versions prior to 1.69.3 use Object.assign() insecurely when parsing user-controlled updates from local persistence files. Attackers with write access to the persistence store can inject malicious prototype properties, leading to application-wide state manipulation, authorization bypass, or denial of service.

TL;DR

Insecure use of Object.assign() in Evolver's mailbox store allows prototype pollution, enabling attackers with local file write access to manipulate application state and bypass authorization checks.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Prototype Pollution
  • CWE ID: CWE-1321
  • Attack Vector: Local (File Modification)
  • CVSS Base Score: 5.3
  • Impact: Authorization Bypass, DoS, Logic Manipulation
  • Exploit Status: Proof of Concept Available

Affected Systems

  • @evomap/evolver npm package
  • Node.js applications utilizing Evolver for mailbox management
  • @evomap/evolver: < 1.69.3 (Fixed in: 1.69.3)

Exploit Details

  • Research Context: Proof of concept payload targeting the messages.jsonl file format.

Mitigation Strategies

  • Upgrade @evomap/evolver to version 1.69.3 or later.
  • Restrict OS-level file write permissions on the messages.jsonl persistence file.
  • Execute the Node.js runtime with the --disable-proto=delete or --disable-proto=throw flags.
  • Implement robust schema validation on data loaded from external persistence sources.

Remediation Steps:

  1. Identify the current version of @evomap/evolver using npm ls @evomap/evolver.
  2. Update the package using npm install @evomap/evolver@^1.69.3.
  3. Locate the data directory utilized by Evolver.
  4. Apply strict chmod 600 or equivalent permissions to the mailbox storage files.
  5. Restart the application process to ensure no polluted objects remain in memory.

References

Read the full report for GHSA-2CJR-5V3H-V2W4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)