Dottie.js is a JavaScript utility library that facilitates nested object access and manipulation. Versions 2.0.4 through 2.0.6 contain a prototype pollution vulnerability identified as CVE-2026-27837 (CWE-1321). Prototype pollution occurs when an attacker can modify the prototype of a base object, which can lead to unexpected behavior or security issues in applications. This vulnerability is a residual issue from an incomplete fix for CVE-2023-26132. The original fix introduced a guard that validated only the first segment of a dot-separated path to prevent prototype pollution. However, this validation was insufficient because an attacker can craft a path where the special property '__proto__' appears in any position other than the first, bypassing the check. Both the dottie.set() and dottie.transform() functions are vulnerable because they allow setting or transforming nested object properties using dot-separated paths. Exploiting this vulnerability can allow an attacker to modify the prototype of JavaScript objects, potentially leading to privilege escalation, data corruption, or denial of service within applications that rely on dottie.js. The vulnerability has a CVSS 3.1 base score of 6.3, indicating medium severity, with attack vector as network, low attack complexity, no privileges required, but requiring user interaction. The vulnerability affects all applications using dottie.js versions from 2.0.4 up to but not including 2.0.7, which contains an updated fix that properly addresses the prototype pollution guard. There are no known exploits in the wild at this time, but the vulnerability poses a significant risk to applications that use the affected library versions and accept untrusted input for object manipulation.

The prototype pollution vulnerability in dottie.js can have several impacts on affected applications and organizations. By manipulating the prototype of JavaScript objects, attackers can alter application logic, bypass security controls, or cause unexpected behavior. This can lead to data integrity issues, such as overwriting critical application data or configuration. In some cases, it may allow privilege escalation within the application context, enabling attackers to execute arbitrary code or escalate their access rights. Additionally, prototype pollution can cause denial of service conditions by corrupting application state or triggering runtime errors. Since dottie.js is a utility library used in JavaScript applications, the impact depends on how the library is integrated and whether user-controlled input is passed to the vulnerable functions. Organizations using affected versions in web applications, APIs, or backend services are at risk. The medium CVSS score reflects that exploitation requires user interaction and crafted input, but no authentication or elevated privileges. If exploited, the vulnerability can compromise confidentiality, integrity, and availability of affected systems, potentially leading to data breaches, service disruption, or further exploitation chains.

To mitigate this vulnerability, organizations should immediately upgrade dottie.js to version 2.0.7 or later, which contains the corrected fix for prototype pollution. If upgrading is not immediately feasible, apply strict input validation and sanitization to any user-supplied data passed to dottie.set() or dottie.transform() to prevent injection of '__proto__' or other prototype-related keys in nested paths. Implement runtime monitoring and logging to detect suspicious object modifications indicative of prototype pollution attempts. Employ security best practices such as Content Security Policy (CSP) and sandboxing to limit the impact of potential exploitation. Conduct code reviews and dependency audits to identify and remediate usage of vulnerable dottie.js versions. Additionally, consider using static analysis tools that can detect prototype pollution patterns in code. Finally, educate developers about the risks of prototype pollution and secure coding practices when manipulating object properties dynamically.