Platform
javascript
Component
web-audio-recorder-js
Fixed in
0.1.1
0.1.2
A prototype pollution vulnerability has been identified in web-audio-recorder-js versions 0.1 through 0.1.1. This flaw allows attackers to manipulate object prototype attributes, potentially leading to unexpected application behavior and security compromises. The vulnerability resides within the extend function in lib/WebAudioRecorder.js. A public exploit is available, highlighting the potential for immediate exploitation.
Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects or user-defined constructor functions. In this case, manipulating the prototype of WebAudioRecorder.js could allow an attacker to inject malicious properties or override existing ones, potentially leading to denial-of-service, information disclosure, or even remote code execution depending on how the application utilizes the modified prototype. The availability of a public exploit significantly increases the risk, as it lowers the barrier to entry for attackers. The complexity of the attack is considered difficult, but the public availability of the exploit mitigates this concern.
This vulnerability is publicly known and has a corresponding public proof-of-concept. The vulnerability was disclosed on 2026-02-23. The vendor was contacted but did not respond. The EPSS score is likely medium due to the public exploit and lack of vendor response, indicating a moderate probability of exploitation.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of web-audio-recorder-js. As no fixed version is currently available, consider removing or disabling the web-audio-recorder-js component if possible. If removal is not feasible, implement strict input validation on any data used by the extend function to prevent malicious input from reaching the prototype. Monitor application logs for unusual behavior or unexpected property modifications. Consider using a Web Application Firewall (WAF) to filter requests that attempt to manipulate object prototypes.
Update the web-audio-recorder-js library to a patched version that mitigates the prototype pollution vulnerability. If a patched version is not available, consider replacing the library or implementing additional security measures to prevent dynamic configuration manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2964 is a medium-severity prototype pollution vulnerability affecting web-audio-recorder-js versions 0.1–0.1.1, allowing attackers to manipulate object prototypes and potentially compromise application behavior.
You are affected if your web application uses web-audio-recorder-js versions 0.1 or 0.1.1. Check your project dependencies to confirm.
Upgrade to a patched version of web-audio-recorder-js. As no patch is available, remove or disable the component and implement strict input validation.
A public exploit exists, indicating a potential for active exploitation. Monitor your application and logs for suspicious activity.
As of this writing, no official advisory has been released by the vendor. Refer to the CVE details and security blogs for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.