Cyber Posture

CVE-2026-27837

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0016 37.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to…

more

bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the prototype pollution vulnerability by requiring timely patching to Dottie version 2.0.7 or later.

SI-10 Information Input Validation good match
prevent

Prevents exploitation by validating dot-separated object paths to block '__proto__' in any position before processing with dottie.set() or dottie.transform().

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Identifies deployment of vulnerable Dottie versions 2.0.4-2.0.6 through vulnerability scanning, enabling remediation.

Security SummaryAI

CVE-2026-27837 is a prototype pollution vulnerability affecting the Dottie JavaScript library, which provides nested object access and manipulation capabilities. Versions 2.0.4 through 2.0.6 contain an incomplete fix for the prior CVE-2023-26132, where the prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path. This allows attackers to bypass the protection by placing "__proto__" at any position other than the first in the path. Both the dottie.set() and dottie.transform() functions are impacted, classified under CWE-1321 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

Remote attackers can exploit this vulnerability without privileges by crafting malicious input that requires user interaction, such as tricking a user into processing a specially formatted object path. Successful exploitation enables limited prototype pollution, potentially allowing low-level impacts on confidentiality, integrity, and availability by tampering with object prototypes in JavaScript applications that use the affected Dottie functions.

Advisories from GitHub, including GHSA-4gxf-g5gf-22h4 and GHSA-r5mx-6wc6-7h9w, along with commit 7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14, recommend upgrading to Dottie version 2.0.7, which includes an updated fix to properly validate all segments of dot-separated paths and address the residual vulnerability.

Details

CWE(s)
CWE-1321

Affected Products

dottie project
dottie
2.0.4 — 2.0.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1565.003 Runtime Data Manipulation Impact
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of public-facing JavaScript applications via crafted input (T1190), facilitating prototype pollution that tampers with object prototypes for runtime data manipulation (T1565.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References