CVE-2026-45325

tmlmobilidade · go

A prototype pollution vulnerability in the Gestor de Oferta web application allows unauthenticated attackers to modify object attributes.

Executive summary

A critical prototype pollution vulnerability in the tmlmobilidade Gestor de Oferta application allows unauthenticated attackers to manipulate internal object attributes, potentially leading to unauthorized service behavior.

Vulnerability

This vulnerability involves improper control of object prototype attributes, known as prototype pollution (CWE-1321). An unauthenticated attacker can exploit this to inject malicious properties into the application's object prototypes, which may influence subsequent application logic.

Business impact

With a CVSS score of 8.2, this vulnerability poses a serious threat to the application's integrity. Successful exploitation could lead to privilege escalation, bypass of security checks, or service instability, potentially causing significant operational disruption.

Remediation

Immediate Action: Upgrade the Gestor de Oferta application to version 20260509.0340.15 or later.

Proactive Monitoring: Monitor application behavior for unexpected changes in object state or logic, which may indicate attempted prototype pollution.

Compensating Controls: Implement strict input validation and object freezing techniques in the application code to prevent the modification of prototype properties.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the severity of this vulnerability, immediate patching is recommended to secure the application against potential manipulation. Security teams should ensure the update is applied across all instances of the Gestor de Oferta platform.