Prototype Pollution Vulnerability in Enquirer by Node.js
CVE-2026-15187
Key Information:
Badges
What is CVE-2026-15187?
A security flaw has been identified in the Enquirer library, impacting versions up to 2.4.1. The vulnerability lies within the Enquirer.set function of the Public Package API, where improper handling of the question.name argument leads to uncontrolled modifications of object prototype attributes. This flaw can be exploited remotely, allowing an attacker to manipulate system functionality maliciously. The issue was reported to the project maintainers before the exploit became publicly accessible, increasing the urgency for users to apply updates and mitigate potential risks.
Affected Version(s)
enquirer 2.4.0
enquirer 2.4.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
