Description
A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Upgrade Library
AI Analysis

Impact

The extend function in WebAudioRecorder.js accepts dynamic configuration data without proper validation, leading to unsafe modification of JavaScript object prototypes. This prototype pollution flaw, identified as CWE‑1321, can also allow insertion of executable code through malformed inputs, corresponding to CWE‑94. The primary impact is that an attacker can alter core objects, which may enable remote code execution or cause unpredictable application behavior. The vulnerable code resides in the lib/WebAudioRecorder.js function extend in higuma web-audio-recorder-js version 0.1/0.1.1.

Affected Systems

Higuma WebAudioRecorder.js, versions 0.1 and 0.1.1, are the only releases that contain the vulnerable extend function. Any web application that imports these specific versions—via npm, CDNs, or direct script tags—is potentially exposed. The vulnerability is tied to the library's core JavaScript, and does not propagate to unrelated modules unless they invoke the extend function.

Risk and Exploitability

The CVSS score of 2.3 classifies this as a low‑severity vulnerability, which is reinforced by the EPSS score of less than 1 %, indicating a very low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, suggesting no known large‑scale attacks based on this flaw have been observed. Attackers could launch the exploit from a remote malicious web page that loads the vulnerable library and supplies crafted configuration data. While the exploit is publicly available, the complexity of dynamically traversing the library's prototype chain makes successful attacks non‑trivial, keeping the overall risk low but not negligible.

Generated by OpenCVE AI on April 18, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade higuma web-audio-recorder-js to any released version that addresses the prototype‑pollution flaw, if such a version exists.
  • Replace dynamic calls to the extend function with explicit property assignments or a wrapper that validates keys against an allowlist before modifying prototypes.
  • Sanitize all input values passed to the configuration mechanism, ensuring only trusted and expected data is processed, to prevent unintended prototype manipulation.

Generated by OpenCVE AI on April 18, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Higuma webaudiorecorder.js
CPEs cpe:2.3:a:higuma:webaudiorecorder.js:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:higuma:webaudiorecorder.js:0.1:*:*:*:*:*:*:*
Vendors & Products Higuma webaudiorecorder.js

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Higuma
Higuma web-audio-recorder-js
Vendors & Products Higuma
Higuma web-audio-recorder-js

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title higuma web-audio-recorder-js Dynamic Config Handling WebAudioRecorder.js extend prototype pollution
Weaknesses CWE-1321
CWE-94
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Higuma Web-audio-recorder-js Webaudiorecorder.js
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:49:40.324Z

Reserved: 2026-02-22T07:26:30.719Z

Link: CVE-2026-2964

cve-icon Vulnrichment

Updated: 2026-02-23T13:49:16.458Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T02:16:39.643

Modified: 2026-02-26T20:08:43.307

Link: CVE-2026-2964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses