Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1774

CVE-2026-1774: CASL Ability Prototype Pollution Vulnerability

CVE-2026-1774 is a prototype pollution vulnerability in CASL Ability versions 2.4.0 through 6.7.4 that can lead to security risks. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-1774 Overview

CVE-2026-1774 is a prototype pollution vulnerability affecting the CASL Ability package, versions 2.4.0 through 6.7.4. CASL is a widely deployed JavaScript authorization library used to define permissions in Node.js and browser-based applications. The flaw allows attackers to manipulate object prototypes through user-controlled input, corrupting application logic across the entire JavaScript runtime. Successful exploitation can lead to authorization bypass, denial of service, or remote code execution depending on how downstream code consumes polluted properties. The vulnerability is classified under CWE-1321, Improperly Controlled Modification of Object Prototype Attributes.

Critical Impact

Remote attackers can pollute Object.prototype without authentication, undermining authorization checks across applications relying on CASL Ability for access control.

Affected Products

  • CASL Ability 2.4.0 through 6.7.4
  • Node.js applications importing the @casl/ability package within the affected range
  • Browser and server-side JavaScript projects bundling vulnerable CASL versions

Discovery Timeline

  • 2026-02-10 - CVE-2026-1774 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-1774

Vulnerability Analysis

The vulnerability stems from unsafe recursive merging or property assignment within CASL Ability's rule processing logic. When the library copies attacker-controlled keys into JavaScript objects, it fails to filter reserved keys such as __proto__, constructor, and prototype. An attacker who can supply structured input — for example, JSON parsed from an HTTP request — can therefore write properties onto Object.prototype itself.

Because every JavaScript object inherits from Object.prototype, polluted properties propagate globally within the process. Authorization rules evaluated by CASL may return incorrect verdicts once the prototype chain is tampered with, defeating the security boundary the library is intended to enforce. Mozilla maintains an overview of this class of bug in its Prototype Pollution documentation.

Root Cause

The root cause is missing key sanitization during object property assignment in the affected @casl/ability versions. The library accepts nested keys without verifying that target keys are not __proto__, constructor.prototype, or equivalent reserved identifiers. The source code is published in the GitHub CASL Ability repository.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a crafted payload — typically a JSON body containing a __proto__ key — to an endpoint that forwards the data into CASL ability definitions or condition checks. Once the prototype is polluted, subsequent permission evaluations operate on corrupted inheritance chains, enabling authorization bypass or, in applications that rely on prototype lookups for code dispatch, arbitrary code execution. Additional analysis is published in CERT Vulnerability Note #458422.

Detection Methods for CVE-2026-1774

Indicators of Compromise

  • HTTP request bodies or query parameters containing literal __proto__, constructor, or prototype keys in JSON structures
  • Unexpected global properties appearing on objects at runtime, such as new methods or flags not defined in application code
  • Authorization decisions from CASL returning true for users who should be denied, with no corresponding rule changes

Detection Strategies

  • Inspect application dependency manifests (package.json, package-lock.json, yarn.lock) for @casl/ability versions between 2.4.0 and 6.7.4
  • Add runtime assertions that check Object.prototype for unexpected enumerable properties after handling untrusted input
  • Deploy web application firewall rules that flag request payloads containing prototype-related keys

Monitoring Recommendations

  • Forward application logs into a centralized analytics platform and alert on anomalous CASL authorization outcomes
  • Monitor Node.js process memory and behavior for newly introduced prototype properties using runtime application self-protection tooling
  • Correlate inbound traffic patterns with CASL decision logs to identify suspicious authorization grants tied to specific request payloads

How to Mitigate CVE-2026-1774

Immediate Actions Required

  • Upgrade @casl/ability to a version newer than 6.7.4 once the maintainer publishes a fixed release
  • Audit application code paths that pass user-supplied data into CASL rule definitions or condition objects
  • Reject HTTP payloads containing reserved keys such as __proto__, constructor, and prototype at the input validation layer

Patch Information

Review the GitHub CASL Ability repository for the latest release notes and apply the upgraded package version once available. Confirm fixed-version metadata against the CERT Vulnerability Note #458422 advisory before deploying to production.

Workarounds

  • Freeze the prototype at application startup using Object.freeze(Object.prototype) to block runtime mutations
  • Use Object.create(null) for objects derived from untrusted input so they have no prototype chain to pollute
  • Validate and sanitize JSON input with a schema validator that rejects unknown or reserved keys before passing data to CASL
bash
# Configuration example
npm ls @casl/ability
npm update @casl/ability

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne