Description
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
Recommendation
Update the @casl/ability package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.4.0, <= 6.7.4
- Patched version(s): 6.7.5
References
- GHSA-x9vf-53q3-cvx6
- cwe.mitre.org
- developer.mozilla.org
- www.kb.cert.org
- CVE-2026-1774
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- Immutable is vulnerable to Prototype Pollution - CVE-2026-29063
- enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Tags:
- npm
- @casl/ability
Anything's wrong? Let us know Last updated on February 11, 2026