Intel

AIKIDO-2026-180874

@react-email/editor is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JS@react-email/editor
1.0.0 - 1.4.7
Fixed in 1.4.8
Are you affected? Scan for Free

TL;DR

The email-theming plugin in @react-email/editor builds CSS-in-JS objects from panel-style theme input using plain object literals in transformToCssJs and mergeCssJs. Because these objects inherit from Object.prototype, attacker-controlled keys such as __proto__, constructor, or prototype in the supplied theme or panel-style input route through the prototype setter and mutate Object.prototype globally. This prototype pollution can corrupt application state or influence later logic in the consuming application. The fix builds cssJS and merged theme objects with Object.create(null) and uses defensive merging so hostile keys become plain own properties instead of mutating the global prototype.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes attacker-controlled theme or panel-style input into the email-theming plugin.

Background info

@react-email/editor is vulnerable to Prototype Pollution in versions 1.0.0 - 1.4.7.

How to fix this

Upgrade the @react-email/editor library to the patch version.