Description
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.
Published: 2026-05-04
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.69.3, Evolver’s mailbox store module suffers from prototype pollution. The functions _applyUpdate() and _updateRecord() use Object.assign() to merge data supplied by the user without filtering dangerous prototype keys such as __proto__, constructor, or prototype. An attacker who can inject such keys alters the JavaScript Object prototype, causing all objects in the runtime to inherit malicious properties and potentially change program flow. This flaw is classified as CWE‑1321.

Affected Systems

Systems running EvoMap’s Evolver engine before 1.69.3 are vulnerable. The update to version 1.69.3 includes the necessary patch. If an implementation remains on an older release, it should be upgraded at the earliest convenience.

Risk and Exploitability

The CVSS score of 5.2 indicates a moderate risk. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the probable attack vector involves an attacker sending crafted data to the mailbox store, such as through a connected interface or API. Because the flaw modifies global object behavior, successful exploitation may lead to arbitrary code execution or other unpredictable outcomes. Mitigation requires updating to a fixed version or applying the workaround until a patch is available.

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Evolver to version 1.69.3 or later to remove the prototype pollution vulnerability.
  • If immediate upgrade is not possible, modify the mailbox store implementation to explicitly strip dangerous keys (e.g., __proto__, constructor, prototype) from any data passed to Object.assign, ensuring no prototype manipulation can occur.
  • Perform a security audit of the codebase to identify any other instances where Object.assign is used on untrusted input and apply similar sanitization or refactor to use safer merging techniques.

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.
Title Evolver: Prototype Pollution via `Object.assign()` in mailbox store operations
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T16:50:15.167Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42077

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:24.587

Modified: 2026-05-04T17:16:24.587

Link: CVE-2026-42077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:15:06Z

Weaknesses