GHSA-95ff-46g6-6gw9

Source

https://github.com/advisories/GHSA-95ff-46g6-6gw9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-95ff-46g6-6gw9/GHSA-95ff-46g6-6gw9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-95ff-46g6-6gw9

Aliases

CVE-2026-24766

Published

2026-01-28T21:41:26Z

Modified

2026-01-28T21:57:24.453607Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Details

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

Database specific

{
    "nvd_published_at": "2026-01-28T21:16:12Z",
    "github_reviewed_at": "2026-01-28T21:41:26Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1321"
    ]
}

References

Affected packages

npm / nocodb

Package

Name: nocodb; View open source insights on deps.dev
Purl: pkg:npm/nocodb

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.301.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-95ff-46g6-6gw9/GHSA-95ff-46g6-6gw9.json"