Intel

AIKIDO-2026-406665

scim-patch is vulnerable to Prototype Pollution

Prototype PollutionGHSA-2mhw-wcx5-v3xj Published 3 days ago

43

Medium Risk

This Affects:

JSscim-patch
0.9.1 - 0.9.1
Fixed in 0.9.2
Are you affected? Scan for Free

TL;DR

scim-patch blocks direct dangerous path segments such as __proto__, constructor, and prototype, but navigate() and assign() still treat inherited properties as existing when resolving SCIM patch paths. An attacker who controls a SCIM PATCH operation can use a path like toString.polluted to mutate shared built-in method objects such as Object.prototype.toString, adding attacker-controlled properties process-wide. The impact is narrower than direct Object.prototype pollution but still leaks into any application logic that reads properties from inherited methods. The fix switches to own-property checks via Object.prototype.hasOwnProperty.call so only own keys are traversed and inherited built-ins are no longer mutated.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

scim-patch is vulnerable to Prototype Pollution in versions 0.9.1 - 0.9.1.

How to fix this

Upgrade the scim-patch library to the patch version.