Primary

Context

Velocity.js Prototype Pollution Vulnerability in #set Directives Allowing Denial-of-Service or Remote Code Execution

Vulnerability

A prototype pollution vulnerability exists in Velocity.js versions 2.1.5 and earlier. This vulnerability arises during the processing of #set directives in Velocity templates. When an application renders a template that an attacker controls, it can be exploited to modify Object.prototype. This modification could lead to a denial-of-service condition or remote code execution, depending on the server environment.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can be used to bypass security controls, cause application crashes, or be combined with other vulnerabilities to execute code remotely.

Reproduction

The vulnerability can be reproduced by rendering a Velocity template that includes a #set directive. The directive can be crafted to assign a value to a property on Object.prototype, such as '__proto__', which would then be accessible on all objects.

Added: May 26, 2026, 11:45 PM

Updated: May 26, 2026, 11:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.6

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.6

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Velocity.js Prototype Pollution Vulnerability in #set Directives Allowing Denial-of-Service or Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

Velocity.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating