CVE-2023-26102 – CVE-2023-26102 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2023-26102?

CVE-2023-26102 has a CVSS score of 7.5 (HIGH). CVE-2023-26102 is a prototype pollution vulnerability in the rangy JavaScript library that allows attackers to modify object prototypes through the extend() function. This can lead to denial of service, remote code execution, or privilege escalation in web applications using vulnerable versions. All users of the rangy package are affected.

📋 TL;DR

CVE-2023-26102 is a prototype pollution vulnerability in the rangy JavaScript library that allows attackers to modify object prototypes through the extend() function. This can lead to denial of service, remote code execution, or privilege escalation in web applications using vulnerable versions. All users of the rangy package are affected.

💻 Affected Systems

Products:

rangy

Versions: All versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using rangy's extend() function is vulnerable regardless of configuration

📦 What is this software?

Rangy by Rangy Project

View all CVEs affecting Rangy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service, application crashes, or limited data manipulation

🟢

If Mitigated

Minimal impact with proper input validation and security controls

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issues, exploitation requires user interaction with malicious content

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/timdown/rangy/issues/478

Restart Required: No

Instructions:

No official patch available. Remove or replace rangy library with alternative solution.

🔧 Temporary Workarounds

Remove rangy dependency

all

Completely remove rangy from your project and replace with alternative text range libraries

npm uninstall rangy

Input validation wrapper

all

Wrap rangy.extend() calls with input validation to prevent prototype pollution

// JavaScript wrapper example:
function safeExtend(target, source) {
  if (source && source.__proto__ === Object.prototype) {
    return Object.assign(target, source);
  }
  return rangy.extend(target, source);
}

🧯 If You Can't Patch

Implement Content Security Policy (CSP) to restrict script execution
Use web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json for rangy dependency and verify version

Check Version:

npm list rangy

Verify Fix Applied:

Confirm rangy is removed from dependencies and not loaded in application

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript errors, prototype modification attempts, unexpected object property changes

Network Indicators:

Malicious JavaScript payloads containing Object.prototype modifications

SIEM Query:

source="web_logs" AND ("rangy" OR "extend()" OR "prototype") AND status=500

📊 Metadata

CVE ID: CVE-2023-26102

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

Published: February 24, 2023

Last Updated: March 11, 2025

🔗 References

https://github.com/timdown/rangy/issues/478 Exploit,Issue Tracking,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-RANGY-3175702 Exploit,Third Party Advisory
https://github.com/timdown/rangy/issues/478 Exploit,Issue Tracking,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-RANGY-3175702 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26102, you might also want to check these: