CVE-2026-45325
tmlmobilidade · go
A prototype pollution vulnerability in the Gestor de Oferta web application allows unauthenticated attackers to modify object attributes.
Executive summary
A critical prototype pollution vulnerability in the tmlmobilidade Gestor de Oferta application allows unauthenticated attackers to manipulate internal object attributes, potentially leading to unauthorized service behavior.
Vulnerability
This vulnerability involves improper control of object prototype attributes, known as prototype pollution (CWE-1321). An unauthenticated attacker can exploit this to inject malicious properties into the application's object prototypes, which may influence subsequent application logic.
Business impact
With a CVSS score of 8.2, this vulnerability poses a serious threat to the application's integrity. Successful exploitation could lead to privilege escalation, bypass of security checks, or service instability, potentially causing significant operational disruption.
Remediation
Immediate Action: Upgrade the Gestor de Oferta application to version 20260509.0340.15 or later.
Proactive Monitoring: Monitor application behavior for unexpected changes in object state or logic, which may indicate attempted prototype pollution.
Compensating Controls: Implement strict input validation and object freezing techniques in the application code to prevent the modification of prototype properties.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the severity of this vulnerability, immediate patching is recommended to secure the application against potential manipulation. Security teams should ensure the update is applied across all instances of the Gestor de Oferta platform.