ApostropheCMS, an open‑source Node.js content management system, contains a flaw in the data‑patching helper that allows an authenticated editor to inject a __proto__ key through a $pullAll patch operator. The helper does not sanitize dot‑notation paths, so the patch can modify Object.prototype on the running Node.js process. Once altered, the internal publicApiCheck routine incorrectly authorizes all subsequent REST API requests for every piece‑type, effectively removing authorization controls for every API endpoint interpreted by that process. The effect persists for the lifetime of the Node.js instance, exposing all content to unauthenticated access until the process is restarted.

All ApostropheCMS releases up to and including version 4.30.0 are vulnerable. No patched version is currently available, so the vulnerability remains in every deployment that has not been upgraded or otherwise hardened. The problem is confined to the ApostropheCMS product provided by the apostrophecms:apostrophe vendor.

The CVSS score of 9.1 indicates a critical severity. The EPSS is not provided, and the issue is not listed in the CISA KEV catalog. Exploitation requires users with elevated editor permissions; however, the resulting impact is a complete loss of authorization for all REST API endpoints throughout the process. Once the prototype is polluted, the flaw remains until the Node.js process is restarted or the code is corrected. Because the attack vector utilizes legitimate privileged credentials, the risk escalates if those credentials are compromised or redistributed.