Description
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
Recommendation
Update the @casl/ability package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.4.0, <= 6.7.4
- Patched version(s): 6.7.5
References
- GHSA-x9vf-53q3-cvx6
- cwe.mitre.org
- developer.mozilla.org
- www.kb.cert.org
- CVE-2026-1774
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-es - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
You might also like:
- Tags:
- npm
- @casl/ability
Anything's wrong? Let us know Last updated on February 11, 2026