Login Sign Up

CVE-2023-26113

7.5 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability allows attackers to perform prototype pollution attacks via the extend function in collection.js. It affects applications using collection.js versions before 6.8.1, potentially enabling modification of object prototypes that could lead to denial of service, remote code execution, or other security impacts.

💻 Affected Systems

Products:
  • collection.js
Versions: All versions before 6.8.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable versions of collection.js with the extend function is affected.

📦 What is this software?

Collection.js by Collection.js Project

View all CVEs affecting Collection.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service, application crashes, or unauthorized data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and security controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub issues; exploitation requires attacker-controlled input to the extend function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.1

Vendor Advisory: https://github.com/kobezzza/Collection/releases/tag/v6.8.1

Restart Required: No

Instructions:

1. Update collection.js to version 6.8.1 or later. 2. Run 'npm update collection.js' or update package.json to '^6.8.1'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for objects passed to the extend function to prevent prototype pollution.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs.
  • Use object-freeze or similar techniques to prevent prototype modification.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list collection.js' to see if version is below 6.8.1.

Check Version:

npm list collection.js

Verify Fix Applied:

Verify collection.js version is 6.8.1 or higher using 'npm list collection.js'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes, unexpected object property modifications, or error logs related to prototype pollution.

Network Indicators:

  • Unusual HTTP requests with crafted JSON objects targeting extend function endpoints.

SIEM Query:

Search for application logs containing 'extend' function calls with suspicious object structures.

📊 Metadata

CVE ID: CVE-2023-26113
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: March 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26113, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)