Description
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
Published: 2026-02-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Patch
AI Analysis

Impact

CASL Ability versions 2.4.0 through 6.7.4 include a prototype pollution flaw that allows attackers to write arbitrary properties onto shared object prototypes. This can lead to subtle changes in application logic, potential denial of service, or more severe consequences if the polluted properties influence control flow or authentication checks. The vulnerability is a classic example of CWE‑1321: Prototype Pollution.

Affected Systems

The affected product is CASL Ability, a JavaScript authorization library. The vulnerable releases span from 2.4.0 up to and including 6.7.4. Users employing any of these versions are potentially at risk; the product should be treated as compromised until a neutralized version is deployed.

Risk and Exploitability

The advisory rates the issue with a CVSS score of 9.8, indicating high severity. EPSS indicates a very low but non‑zero likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is through web application code that loads the library or accepts user input that is processed by it, allowing an attacker to inject malicious prototype modifications. Because prototype pollution can affect globally shared objects, a successful exploit could bypass access controls or corrupt application state.

Generated by OpenCVE AI on April 17, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement the latest patch or upgrade to a version of CASL Ability later than 6.7.4.
  • If an upgrade cannot be performed immediately, consider replacing or isolating the vulnerable CASL Ability package in the dependency tree and removing unneeded features or modules that depend on it.
  • Add runtime checks to validate and sanitize any data that influences prototype properties, and restrict the use of shared prototypes in the application.

Generated by OpenCVE AI on April 17, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x9vf-53q3-cvx6 CASL Ability is Vulnerable to Prototype Pollution
History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1321

Wed, 11 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Casl Ability
Casl Ability casl Ability
Vendors & Products Casl Ability
Casl Ability casl Ability

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
Title CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
References

Subscriptions

Casl Ability Casl Ability
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-02-11T14:44:50.765Z

Reserved: 2026-02-02T17:01:20.831Z

Link: CVE-2026-1774

cve-icon Vulnrichment

Updated: 2026-02-10T16:22:54.320Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T16:16:10.740

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses