Description
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Published: 2026-02-26
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Apply patch
AI Analysis

Impact

Dottie.js provides nested object access through dot‑separated paths. A bug in a defensive guard added in a previous patch only inspects the first segment of such a path, allowing an attacker to insert "__proto__" in any other segment and cause prototype pollution. This changes shared prototypes and can alter the behavior of other objects that rely on them. The vulnerability is classified under CWE‑1321 (Prototype Pollution) and CWE‑915 (Implicit Type Conversion).

Affected Systems

The issue affects the dottie.js library maintained by mickhansen. Versions 2.0.4 through 2.0.6 contain the incomplete fix and are vulnerable. Version 2.0.7 and later contain an updated fix that removes the flaw. Applications that embed these specific Node.js module versions, especially those that rely on user‑supplied dot‑path strings, are at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low but non‑zero chance of exploitation. The vulnerability is not listed in CISA's KEV catalog, so no widespread known exploitation has yet been reported. The most likely attack vector is any code path that passes user‑supplied or untrusted dot‑separated paths to dottie.set() or dottie.transform(), enabling an attacker to manipulate prototypes that other code may later use.

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to dottie.js v2.0.7 or newer to apply the complete fix
  • Sanitize any user‑supplied path strings before calling dottie.set() or dottie.transform(), removing or escaping "__proto__" segments that appear beyond the first component
  • Restrict calls to dottie.set() and dottie.transform() to trusted, internal data rather than public or untrusted input

Generated by OpenCVE AI on April 18, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5mx-6wc6-7h9w dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Dottie Project
Dottie Project dottie
CPEs cpe:2.3:a:dottie_project:dottie:*:*:*:*:*:node.js:*:*
Vendors & Products Dottie Project
Dottie Project dottie

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mickhansen
Mickhansen dottie.js
Vendors & Products Mickhansen
Mickhansen dottie.js

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Title Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Dottie Project Dottie
Mickhansen Dottie.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:40:07.451Z

Reserved: 2026-02-24T02:32:39.801Z

Link: CVE-2026-27837

cve-icon Vulnrichment

Updated: 2026-02-26T14:39:49.575Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T01:16:24.937

Modified: 2026-02-28T00:58:17.540

Link: CVE-2026-27837

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T00:19:24Z

Links: CVE-2026-27837 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses