A critical prototype pollution vulnerability in Velocity.js versions 2.1.5 and earlier exposes applications to potential Remote Code Execution and Denial of Service attacks.

This vulnerability occurs during the processing of #set directives in Velocity templates. It allows an unauthenticated remote attacker to inject malicious payloads into templates, potentially compromising the underlying server environment.

With a CVSS score of 8.3, this high-severity vulnerability poses a significant risk to organizational infrastructure. Successful exploitation could result in full system compromise, unauthorized data access, or persistent service disruption, severely impacting business continuity and data integrity.

Immediate Action: Upgrade to the latest version of Velocity.js as specified by the vendor advisory to resolve the underlying prototype pollution flaw.

Proactive Monitoring: Audit application logs for suspicious #set directive patterns or unexpected Object.prototype modifications that may indicate exploit attempts.

Compensating Controls: Implement a strict Content Security Policy (CSP) and input validation routines to sanitize template-bound data before rendering.

Public Exploit Available: True

The presence of a public exploit combined with the potential for Remote Code Execution makes this a high-priority remediation task. Security teams should prioritize patching affected applications immediately to prevent unauthorized access and potential system-wide compromise.