CVE-2026-26021 Overview
A critical prototype pollution vulnerability exists in the npm package set-in (versions >=2.0.1 and < 2.0.5). This package provides functionality for setting values in nested associative structures given an array of keys. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained forbidden keys, it remains possible to pollute Object.prototype via crafted input using Array.prototype.
Critical Impact
Attackers can pollute JavaScript prototype objects, potentially leading to arbitrary code execution, denial of service, or security bypasses in applications that depend on the set-in package.
Affected Products
- npm package set-in versions >=2.0.1 and < 2.0.5
- Applications and libraries that depend on vulnerable versions of set-in
Discovery Timeline
- February 11, 2026 - CVE-2026-26021 published to NVD
- February 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-26021
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes - Prototype Pollution). Prototype pollution occurs when an attacker can inject properties into existing JavaScript object prototypes, affecting all objects that inherit from the polluted prototype.
The set-in package previously implemented a fix to prevent prototype pollution by maintaining a blocklist of forbidden keys such as __proto__, constructor, and prototype. However, this mitigation was incomplete. Attackers can bypass this protection by leveraging Array.prototype as an alternative path to pollute the prototype chain.
When exploited, prototype pollution can have severe consequences including modification of application behavior, bypassing security controls, causing denial of service, or achieving remote code execution depending on how the polluted properties are used by downstream code.
Root Cause
The root cause lies in the incomplete validation of user-controlled input paths within the recursivelySetIn function. While the original fix blocked direct access to dangerous keys like __proto__, constructor, and prototype, it failed to account for the Array.prototype path which provides an alternative route to prototype pollution.
The security patch removed the incomplete POLLUTED_KEYS blocklist approach in favor of a more comprehensive fix implemented in version 2.0.5.
Attack Vector
The attack vector requires local access to manipulate input values passed to the set-in function. An attacker crafts a malicious input path that traverses through Array.prototype instead of directly using blocked keys. When the application processes this input through the vulnerable recursivelySetIn function, the attacker can inject arbitrary properties into the prototype chain.
return recursivelySetIn(object, path, value, 0)
}
-const POLLUTED_KEYS = ['__proto__', 'constructor', 'prototype']
-
function recursivelySetIn (object, path, value, index) {
if (index === path.length) {
return value
Source: GitHub Commit Details
Detection Methods for CVE-2026-26021
Indicators of Compromise
- Unexpected properties appearing on Object.prototype or Array.prototype in application runtime
- Application behavior anomalies caused by polluted prototype properties being inherited by objects
- Suspicious input patterns containing array-based prototype traversal paths in logs
Detection Strategies
- Implement runtime monitoring for prototype modifications using Object.freeze(Object.prototype) or property descriptors in development environments
- Audit application dependencies using npm audit or similar tools to identify vulnerable set-in versions
- Review application logs for unusual nested path inputs that may indicate exploitation attempts
- Use static analysis tools to detect prototype pollution patterns in Node.js applications
Monitoring Recommendations
- Monitor package dependency updates and security advisories for set-in and related packages
- Implement integrity monitoring for JavaScript prototype objects in security-critical applications
- Set up alerts for dependency vulnerability notifications through npm audit or Snyk
How to Mitigate CVE-2026-26021
Immediate Actions Required
- Upgrade set-in to version 2.0.5 or later immediately
- Audit all applications using set-in to identify vulnerable deployments
- Review application code for user-controlled input being passed to set-in functions
- Implement input validation as a defense-in-depth measure before passing data to nested property setters
Patch Information
The vulnerability has been fixed in version 2.0.5 of the set-in npm package. The fix involves a more comprehensive approach to preventing prototype pollution that goes beyond the previous blocklist-based mitigation.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-2c4m-g7rx-63q7 and the GitHub Commit Details.
Workarounds
- If upgrading is not immediately possible, implement input sanitization that validates all path arrays before passing them to set-in
- Consider using alternative packages with proven prototype pollution protections
- Freeze prototype objects where feasible using Object.freeze(Object.prototype) as a temporary defense measure
# Upgrade set-in to the patched version
npm update set-in@2.0.5
# Verify installed version
npm list set-in
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
