Description
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.
Published: 2026-05-04
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.69.3, Evolver’s mailbox store module suffers from prototype pollution. The functions _applyUpdate() and _updateRecord() use Object.assign() to merge data supplied by the user without filtering dangerous prototype keys such as __proto__, constructor, or prototype. An attacker who can inject such keys alters the JavaScript Object prototype, causing all objects in the runtime to inherit malicious properties and potentially change program flow. This flaw is classified as CWE‑1321.

Affected Systems

Systems running EvoMap’s Evolver engine before 1.69.3 are vulnerable. The update to version 1.69.3 includes the necessary patch. If an implementation remains on an older release, it should be upgraded at the earliest convenience.

Risk and Exploitability

The CVSS score of 5.2 indicates a moderate risk. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the probable attack vector involves an attacker sending crafted data to the mailbox store, such as through a connected interface or API. Because the flaw modifies global object behavior, successful exploitation may lead to arbitrary code execution or other unpredictable outcomes. Mitigation requires updating to a fixed version or applying the workaround until a patch is available.

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Evolver to version 1.69.3 or later to remove the prototype pollution vulnerability.
  • If immediate upgrade is not possible, modify the mailbox store implementation to explicitly strip dangerous keys (e.g., __proto__, constructor, prototype) from any data passed to Object.assign, ensuring no prototype manipulation can occur.
  • Perform a security audit of the codebase to identify any other instances where Object.assign is used on untrusted input and apply similar sanitization or refactor to use safer merging techniques.

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cjr-5v3h-v2w4 Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Evomap
Evomap evolver
Vendors & Products Evomap
Evomap evolver

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.
Title Evolver: Prototype Pollution via `Object.assign()` in mailbox store operations
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Evomap Evolver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T13:40:54.808Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42077

cve-icon Vulnrichment

Updated: 2026-05-06T13:38:42.448Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T17:16:24.587

Modified: 2026-05-07T15:46:40.943

Link: CVE-2026-42077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:22:45Z

Weaknesses