Skip to main content

CISA issues alert on CASL Ability prototype pollution in 2.4.0–6.7.4

February 10, 2026

CASL Ability versions 2.4.0 through 6.7.4 contain a prototype pollution vulnerability in the extra module's rulesToFields() function that can permit injection or modification of properties on Object.prototype within a Node.js process.

CVE-2026-1774 is associated with this issue and affects CASL Ability 2.4.0 through 6.7.4. The vulnerability stems from the extra module where rulesToFields() uses a helper called setByPath(). setByPath() fails to sanitize path segments before using them as property keys and accepts special names such as prototype and constructor. The _proto_ property can be used to traverse the prototype chain and write to Object.prototype, the root prototype of all objects.

Because Object.prototype is the root prototype that all JavaScript objects inherit from, changes to its properties can allow an attacker to execute arbitrary code and potentially lead to a complete system compromise. An attacker can bypass intended authorization logic, allowing unauthorized access to sensitive resources. Polluting Object.prototype can cause unintended behavior in application code, enable logic manipulation that permits actions normally restricted, and can cause crashes or unexpected behavior if polluted properties do not match expected types, leading to Denial of Service (DoS). The vulnerability exists in the CASL library used by multiple applications and services, so a single exploit can have a ripple effect, compromising multiple systems and potentially leading to a widespread security breach.

Users of the library should upgrade to version 6.7.5 or later, available at https://github.com/stalniy/casl/tree/master/packages/casl-ability.

References included in the advisory are the project repository, the CWE entry at https://cwe.mitre.org/data/definitions/1321.html, and the MDN page on prototype pollution at https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution; the advisory also lists CVE-2026-1774 with a public date of 2026-02-10 and a last updated timestamp of 2026-02-10 15:14 UTC.