AIKIDO-2026-10292
@adguard/scriptlets is vulnerable to Protection Mechanism Failure
45
Medium Risk
This Affects:
@adguard/scriptletsTL;DR
Affected versions of this package allow client-side bypass of the trusted-replace-xhr-response and prevent-xhr scriptlets by simply setting xhr.shouldBePrevented = false, effectively disabling enforced XHR interception and response replacement. Because the protection flag is exposed as a predictable, mutable property on the XMLHttpRequest instance, any script running in the page context can override it and neutralize the rule. An attacker controlling injected JavaScript (e.g., malicious third-party script or compromised dependency) could deliberately unset this flag to restore original responses, bypass filtering logic, and access or exfiltrate sensitive data that should have been sanitized or blocked.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@adguard/scriptlets is vulnerable to Protection Mechanism Failure in versions 1.9.37 - 2.2.15.
How to fix this
Upgrade the @adguard/scriptlets library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant