# REPRO-2026-00097: CASL Ability: Prototype Pollution via Condition Handling ## Summary Status: published Severity: critical Type: security Confidence: Unknown ## Identifiers REPRO ID: REPRO-2026-00097 GHSA: GHSA-x9vf-53q3-cvx6 CVE: CVE-2026-1774 ## Package Name: @casl/ability Ecosystem: npm Affected: >= 2.4.0, <= 6.7.4 Fixed: 6.7.5 ## Root Cause # Root Cause Analysis: GHSA-x9vf-53q3-cvx6 ## Summary The CASL Ability library (versions 2.4.0 through 6.7.4) contains a prototype pollution vulnerability in the `setByPath` utility function. When the `rulesToFields` function processes ability rules containing malicious condition keys like `__proto__.polluted`, it passes these paths to `setByPath`, which unsafely traverses and modifies object properties without validating against dangerous property names. This allows attackers to pollute `Object.prototype`, potentially leading to privilege escalation, denial of service, or unauthorized access across the entire application. ## Impact - **Package**: `@casl/ability` (npm) - **Affected Versions**: >= 2.4.0, <= 6.7.4 - **Fixed in Version**: 6.7.5 - **CVE**: CVE-2026-1774 - **CVSS**: 9.8 (CRITICAL) - **CVSS Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` - **CWE**: CWE-1321 (Prototype Pollution) ### Risk Level and Consequences This is a critical severity vulnerability with the following potential impacts: - **Confidentiality**: High - Attackers may bypass authorization checks by manipulating object properties - **Integrity**: High - Modified prototypes can alter application behavior globally - **Availability**: High - Polluted prototypes can cause application crashes or infinite loops The vulnerability affects any application using the `rulesToFields` function from `@casl/ability/extra` with user-controlled rule conditions. ## Root Cause The vulnerability exists in the `setByPath` function in `packages/casl-ability/src/utils.ts`. This function sets nested properties on an object using a dot-notation path string. Prior to the fix, `setByPath` did not validate the property names within the path, allowing dangerous properties like `__proto__`, `constructor`, and `prototype` to be used in paths. ### Vulnerable Code Pattern ```typescript // Vulnerable version (before 6.7.5) export function setByPath(object: AnyObject, path: string, value: unknown): void { let ref = object; let lastKey = path; if (path.indexOf('.') !== -1) { const keys = path.split('.'); lastKey = keys.pop()!; ref = keys.reduce((res, prop) => { // NO VALIDATION - dangerous properties allowed res[prop] = res[prop] || {}; return res[prop] as AnyObject; }, object); } ref[lastKey] = value; // Direct assignment without validation } ``` ### Attack Vector The `rulesToFields` function is part of the public API and is commonly used to extract rule conditions into field objects. When an attacker can control the conditions of rules passed to `rulesToFields`, they can craft a malicious path: ```javascript can('read', 'Post', { '__proto__.__pollutedValue__': 1 }) ``` When `rulesToFields` processes this rule, it calls: ```javascript setByPath(fields, '__proto__.__pollutedValue__', 1) ``` This traverses `fields.__proto__` (which is `Object.prototype`) and sets `__pollutedValue__ = 1`, polluting the global object prototype. ### Fix The patch introduces a `FORBIDDEN_PROPERTIES` set and validates each property in the path: ```typescript const FORBIDDEN_PROPERTIES = new Set(['__proto__', 'constructor', 'prototype']); export function setByPath(object: AnyObject, path: string, value: unknown): void { // ... path splitting ... ref = keys.reduce((res, prop) => { if (FORBIDDEN_PROPERTIES.has(prop)) return res; // BLOCKED res[prop] = res[prop] || {}; return res[prop] as AnyObject; }, object); if (!FORBIDDEN_PROPERTIES.has(lastKey)) { ref[lastKey] = value; // Only set if not forbidden } } ``` **Fix Commit**: https://github.com/stalniy/casl/commit/39da920ec1dfadf3655e28bd0389e960ac6871f4 ## Reproduction Steps The reproduction script is located at `repro/reproduction_steps.sh`. ### What the Script Does 1. **Installs vulnerable version (6.7.3)**: Sets up a test environment with the vulnerable `@casl/ability` package 2. **Tests prototype pollution**: Creates an ability with a malicious condition containing `__proto__.__pollutedValue__` and calls `rulesToFields`. Verifies that `Object.prototype` is polluted. 3. **Installs patched version (6.7.5)**: Upgrades to the fixed version 4. **Verifies the fix**: Repeats the test and confirms that `Object.prototype` is NOT polluted in the fixed version ### Expected Evidence The script produces the following evidence in `logs/`: - `npm_install_vuln.log` - Installation of vulnerable version - `test_vulnerable.log` - Demonstrates prototype pollution - `npm_install_fixed.log` - Installation of fixed version - `test_fixed.log` - Confirms fix works **Key Evidence from Vulnerable Version:** ``` Before test: ({}).__pollutedValue__ = undefined After rulesToFields: ({}).__pollutedValue__ = 1 Returned fields: {} [FAIL] Prototype pollution confirmed! Object.prototype was polluted. ``` **Key Evidence from Fixed Version:** ``` Before test: ({}).__pollutedValue__ = undefined After rulesToFields: ({}).__pollutedValue__ = undefined Returned fields: {"__pollutedValue__":1} [PASS] Fix confirmed! Object.prototype was NOT polluted. ``` Note: In the fixed version, the value is stored in the returned fields object (as expected) but does NOT pollute the global `Object.prototype`. ## Evidence All evidence is captured in the `logs/` directory: - `/root/.pruva/runs/ghsa-x9vf-53q3-cvx6_20260219-193039/logs/npm_install_vuln.log` - `/root/.pruva/runs/ghsa-x9vf-53q3-cvx6_20260219-193039/logs/test_vulnerable.log` - `/root/.pruva/runs/ghsa-x9vf-53q3-cvx6_20260219-193039/logs/npm_install_fixed.log` - `/root/.pruva/runs/ghsa-x9vf-53q3-cvx6_20260219-193039/logs/test_fixed.log` ### Environment Details - **Node.js**: Available via npm - **Tested Versions**: - Vulnerable: 6.7.3 (also affected 2.4.0 through 6.7.4) - Fixed: 6.7.5 - **Test Environment**: Linux, npm package manager ## Recommendations / Next Steps ### Immediate Actions 1. **Upgrade**: Update `@casl/ability` to version 6.7.5 or later immediately ```bash npm install @casl/ability@^6.7.5 ``` 2. **Audit**: Check if your application uses `rulesToFields` with user-controlled rule conditions 3. **Input Validation**: Until patched, sanitize any user input that might be used in ability rule conditions ### Testing Recommendations 1. Run `npm audit` to identify vulnerable dependencies 2. Review code that constructs ability rules from user input 3. Add regression tests using the reproduction approach in this report 4. Monitor for suspicious rule conditions containing `__proto__`, `constructor`, or `prototype` keys ### Long-term Prevention 1. Implement automated security scanning in CI/CD pipelines 2. Use lockfiles and audit checks in pre-commit hooks 3. Subscribe to security advisories for @casl/ability ## Additional Notes ### Idempotency Confirmation The reproduction script was executed **twice consecutively** with identical results: - Run 1: Exit code 0 (vulnerability confirmed) - Run 2: Exit code 0 (vulnerability confirmed) Both runs successfully demonstrated: 1. Vulnerable version (6.7.3) allows prototype pollution 2. Fixed version (6.7.5) prevents prototype pollution ### Edge Cases and Limitations - The vulnerability requires the use of `rulesToFields` function with user-controlled conditions - Applications that only use basic ability checks without `rulesToFields` may not be directly exploitable - The fix properly handles both dot-notation paths (`__proto__.polluted`) and direct property assignments - The fix also protects against `constructor.prototype` attack variants ## Reproduction Details Reproduced: 2026-02-19T19:47:47.650Z Duration: 379 seconds Tool calls: 78 Turns: 48 Handoffs: 2 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00097 pruva-verify GHSA-x9vf-53q3-cvx6 pruva-verify CVE-2026-1774 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00097&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00097/artifacts/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - GitHub Advisory: https://github.com/advisories/GHSA-x9vf-53q3-cvx6 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1774 - Source: https://github.com/advisories/GHSA-x9vf-53q3-cvx6 ## Artifacts - repro/reproduction_steps.sh (reproduction_script, 4001 bytes) - repro/rca_report.md (analysis, 7540 bytes) - bundle/ticket.json (other, 4302 bytes) - bundle/ticket.md (ticket, 1286 bytes) - bundle/source.json (other, 2236 bytes) - repro/casl/pnpm-workspace.yaml (other, 153 bytes) - repro/casl/release-please-config.json (other, 1322 bytes) - repro/casl/packages/casl-angular/CHANGELOG.md (documentation, 22767 bytes) - repro/casl/packages/casl-angular/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-angular/package.json (other, 2683 bytes) - repro/casl/packages/casl-angular/tsconfig.types.json (other, 186 bytes) - repro/casl/packages/casl-angular/spec/AbilityServiceSignal.spec.ts (other, 1614 bytes) - repro/casl/packages/casl-angular/spec/pipes.e2e.spec.ts (other, 2307 bytes) - repro/casl/packages/casl-angular/spec/spec_helper.ts (other, 1406 bytes) - repro/casl/packages/casl-angular/spec/AbilityService.spec.ts (other, 1295 bytes) - repro/casl/packages/casl-angular/README.md (documentation, 9504 bytes) - repro/casl/packages/casl-angular/tsconfig.spec.json (other, 163 bytes) - repro/casl/packages/casl-angular/tsconfig.json (other, 677 bytes) - repro/casl/packages/casl-angular/index.d.ts (other, 30 bytes) - repro/casl/packages/casl-angular/src/pipes.ts (other, 1053 bytes) - repro/casl/packages/casl-angular/src/public.ts (other, 99 bytes) - repro/casl/packages/casl-angular/src/AbilityServiceSignal.ts (other, 1016 bytes) - repro/casl/packages/casl-angular/src/AbilityService.ts (other, 480 bytes) - repro/casl/packages/casl-angular/tsconfig.build.json (other, 75 bytes) - repro/casl/packages/casl-angular/jest.config.js (other, 296 bytes) - repro/casl/packages/casl-aurelia/CHANGELOG.md (documentation, 9657 bytes) - repro/casl/packages/casl-aurelia/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-aurelia/package.json (other, 1910 bytes) - repro/casl/packages/casl-aurelia/spec/spec_helper.js (other, 181 bytes) - repro/casl/packages/casl-aurelia/spec/plugin.spec.js (other, 3352 bytes) - repro/casl/packages/casl-aurelia/spec/.eslintrc (other, 39 bytes) - repro/casl/packages/casl-aurelia/README.md (documentation, 7447 bytes) - repro/casl/packages/casl-aurelia/tsconfig.json (other, 135 bytes) - repro/casl/packages/casl-aurelia/index.d.ts (other, 36 bytes) - repro/casl/packages/casl-aurelia/src/value-converter/can.ts (other, 1413 bytes) - repro/casl/packages/casl-aurelia/src/index.ts (other, 585 bytes) - repro/casl/packages/casl-aurelia/tsconfig.build.json (other, 121 bytes) - repro/casl/packages/casl-prisma/runtime.js (other, 49 bytes) - repro/casl/packages/casl-prisma/CHANGELOG.md (documentation, 7257 bytes) - repro/casl/packages/casl-prisma/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-prisma/package.json (other, 2109 bytes) - repro/casl/packages/casl-prisma/spec/accessibleBy.spec.ts (other, 1169 bytes) - repro/casl/packages/casl-prisma/spec/prismaQuery.spec.ts (other, 20995 bytes) - repro/casl/packages/casl-prisma/spec/AppAbility.ts (other, 279 bytes) - repro/casl/packages/casl-prisma/spec/createPrismaAbilityFor.spec.ts (other, 593 bytes) - repro/casl/packages/casl-prisma/spec/PrismaAbility.spec.ts (other, 3188 bytes) - repro/casl/packages/casl-prisma/README.md (documentation, 8713 bytes) - repro/casl/packages/casl-prisma/tsconfig.json (other, 135 bytes) - repro/casl/packages/casl-prisma/prisma.config.ts (other, 226 bytes) - repro/casl/packages/casl-prisma/src/accessibleByFactory.ts (other, 1920 bytes) - repro/casl/packages/casl-prisma/src/errors/ParsingQueryError.ts (other, 342 bytes) - repro/casl/packages/casl-prisma/src/index.ts (other, 1573 bytes) - repro/casl/packages/casl-prisma/src/types.ts (other, 1761 bytes) - repro/casl/packages/casl-prisma/src/runtime.ts (other, 473 bytes) - repro/casl/packages/casl-prisma/src/createAbilityFactory.ts (other, 926 bytes) - repro/casl/packages/casl-prisma/src/prisma/interpretPrismaQuery.ts (other, 4044 bytes) - repro/casl/packages/casl-prisma/src/prisma/prismaQuery.ts (other, 1024 bytes) - repro/casl/packages/casl-prisma/src/prisma/PrismaQueryParser.ts (other, 5913 bytes) - repro/casl/packages/casl-prisma/tsconfig.build.json (other, 121 bytes) - repro/casl/packages/casl-prisma/schema.prisma (other, 389 bytes) - repro/casl/packages/casl-prisma/runtime.d.ts (other, 38 bytes) - repro/casl/packages/casl-mongoose/CHANGELOG.md (documentation, 17862 bytes) - repro/casl/packages/casl-mongoose/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-mongoose/package.json (other, 1639 bytes) - repro/casl/packages/casl-mongoose/spec/accessibleFieldsBy.spec.ts (other, 2330 bytes) - repro/casl/packages/casl-mongoose/spec/accessibleBy.spec.ts (other, 5139 bytes) - repro/casl/packages/casl-mongoose/spec/accessible_records.spec.ts (other, 4046 bytes) - repro/casl/packages/casl-mongoose/spec/accessible_fields.spec.ts (other, 4613 bytes) - repro/casl/packages/casl-mongoose/README.md (documentation, 14386 bytes) - repro/casl/packages/casl-mongoose/tsconfig.json (other, 135 bytes) - repro/casl/packages/casl-mongoose/src/accessibleFieldsBy.ts (other, 770 bytes) - repro/casl/packages/casl-mongoose/src/plugins/accessible_records.ts (other, 2227 bytes) - repro/casl/packages/casl-mongoose/src/plugins/accessible_fields.ts (other, 3038 bytes) - repro/casl/packages/casl-mongoose/src/index.ts (other, 1140 bytes) - repro/casl/packages/casl-mongoose/src/accessibleBy.ts (other, 1358 bytes) - repro/casl/packages/casl-mongoose/tsconfig.build.json (other, 121 bytes) - repro/casl/packages/casl-vue/CHANGELOG.md (documentation, 16162 bytes) - repro/casl/packages/casl-vue/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-vue/package.json (other, 1662 bytes) - repro/casl/packages/casl-vue/spec/can.spec.ts (other, 4353 bytes) - repro/casl/packages/casl-vue/spec/plugin.spec.ts (other, 2504 bytes) - repro/casl/packages/casl-vue/spec/hooks.spec.ts (other, 1770 bytes) - repro/casl/packages/casl-vue/README.md (documentation, 12233 bytes) - repro/casl/packages/casl-vue/tsconfig.json (other, 165 bytes) - repro/casl/packages/casl-vue/src/reactiveAbility.ts (other, 683 bytes) - repro/casl/packages/casl-vue/src/plugin.ts (other, 730 bytes) - repro/casl/packages/casl-vue/src/useAbility.ts (other, 596 bytes) - repro/casl/packages/casl-vue/src/index.ts (other, 260 bytes) - repro/casl/packages/casl-vue/src/component/can.ts (other, 2304 bytes) - repro/casl/packages/casl-vue/tsconfig.build.json (other, 66 bytes) - repro/casl/packages/dx/lib/spec_helper.js (other, 464 bytes) - repro/casl/packages/dx/lib/spawn.js (other, 530 bytes) - repro/casl/packages/dx/lib/dx.js (other, 2659 bytes) - repro/casl/packages/dx/package.json (other, 1212 bytes) - repro/casl/packages/dx/bin/dx.js (other, 82 bytes) - repro/casl/packages/dx/tsconfig.json (other, 143 bytes) - repro/casl/packages/dx/config/jest.chai.config.js (other, 155 bytes) - repro/casl/packages/dx/config/babel.config.mjs (other, 1023 bytes) - repro/casl/packages/dx/config/lintstaged.js (other, 157 bytes) - repro/casl/packages/dx/config/eslint.config.mjs (other, 3122 bytes) - repro/casl/packages/dx/config/jest.config.js (other, 371 bytes) - repro/casl/packages/dx/config/rollup.config.mjs (other, 3770 bytes) - repro/casl/packages/casl-react/CHANGELOG.md (documentation, 14594 bytes) - repro/casl/packages/casl-react/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-react/package.json (other, 1852 bytes) - repro/casl/packages/casl-react/spec/factory.spec.tsx (other, 1372 bytes) - repro/casl/packages/casl-react/spec/Can.spec.tsx (other, 4279 bytes) - repro/casl/packages/casl-react/spec/useAbility.spec.ts (other, 1501 bytes) - repro/casl/packages/casl-react/README.md (documentation, 11101 bytes) - repro/casl/packages/casl-react/tsconfig.json (other, 197 bytes) - repro/casl/packages/casl-react/index.d.ts (other, 30 bytes) - repro/casl/packages/casl-react/src/Can.ts (other, 2566 bytes) - repro/casl/packages/casl-react/src/factory.ts (other, 462 bytes) - repro/casl/packages/casl-react/src/index.ts (other, 86 bytes) - repro/casl/packages/casl-react/src/hooks/useAbility.ts (other, 419 bytes) - repro/casl/packages/casl-react/tsconfig.build.json (other, 213 bytes) - repro/casl/packages/casl-ability/extra.d.ts (other, 36 bytes) - repro/casl/packages/casl-ability/CHANGELOG.md (documentation, 71654 bytes) - repro/casl/packages/casl-ability/LICENSE (other, 1077 bytes) - repro/casl/packages/casl-ability/package.json (other, 2082 bytes) - repro/casl/packages/casl-ability/extra/package.json (other, 209 bytes) - repro/casl/packages/casl-ability/spec/spec_helper.js (other, 446 bytes) - repro/casl/packages/casl-ability/spec/permitted_fields.spec.js (other, 2838 bytes) - repro/casl/packages/casl-ability/spec/error.spec.ts (other, 2985 bytes) - repro/casl/packages/casl-ability/spec/ability.spec.ts (other, 30306 bytes) - repro/casl/packages/casl-ability/spec/subject_helper.spec.ts (other, 840 bytes) - repro/casl/packages/casl-ability/spec/pack_rules.spec.ts (other, 5779 bytes) - repro/casl/packages/casl-ability/spec/rulesToQuery.spec.js (other, 5674 bytes) - repro/casl/packages/casl-ability/spec/fixtures.ts (other, 574 bytes) - repro/casl/packages/casl-ability/spec/types/AbilityBuilder.spec.ts (other, 8120 bytes) - repro/casl/packages/casl-ability/spec/types/Ability.spec.ts (other, 4368 bytes) - repro/casl/packages/casl-ability/spec/rulesToAST.spec.js (other, 1915 bytes) - repro/casl/packages/casl-ability/spec/rulesToFields.spec.ts (other, 2432 bytes) - repro/casl/packages/casl-ability/spec/builder.spec.js (other, 5045 bytes) - repro/casl/packages/casl-ability/README.md (documentation, 6457 bytes) - repro/casl/packages/casl-ability/tsconfig.json (other, 86 bytes) - repro/casl/packages/casl-ability/index.d.ts (other, 30 bytes) - repro/casl/packages/casl-ability/src/AbilityBuilder.ts (other, 5656 bytes) - repro/casl/packages/casl-ability/src/ForbiddenError.ts (other, 2395 bytes) - repro/casl/packages/casl-ability/src/extra/rulesToQuery.ts (other, 2568 bytes) - repro/casl/packages/casl-ability/src/extra/index.ts (other, 131 bytes) - repro/casl/packages/casl-ability/src/extra/permittedFieldsOf.ts (other, 2162 bytes) - repro/casl/packages/casl-ability/src/extra/rulesToFields.ts (other, 896 bytes) - repro/casl/packages/casl-ability/src/extra/packRules.ts (other, 1949 bytes) - repro/casl/packages/casl-ability/src/hkt.ts (other, 555 bytes) - repro/casl/packages/casl-ability/src/structures/LinkedItem.ts (other, 633 bytes) - repro/casl/packages/casl-ability/src/RuleIndex.ts (other, 9626 bytes) - repro/casl/packages/casl-ability/src/matchers/conditions.ts (other, 1674 bytes) - repro/casl/packages/casl-ability/src/matchers/field.ts (other, 1520 bytes) - repro/casl/packages/casl-ability/src/PureAbility.ts (other, 2082 bytes) - repro/casl/packages/casl-ability/src/utils.ts (other, 5420 bytes) - repro/casl/packages/casl-ability/src/index.ts (other, 848 bytes) - repro/casl/packages/casl-ability/src/types.ts (other, 2872 bytes) - repro/casl/packages/casl-ability/src/Rule.ts (other, 3303 bytes) - repro/casl/packages/casl-ability/src/Ability.ts (other, 1732 bytes) - repro/casl/packages/casl-ability/src/RawRule.ts (other, 976 bytes) - repro/casl/packages/casl-ability/tsconfig.build.json (other, 121 bytes) - repro/casl/LICENSE (other, 1080 bytes) - repro/casl/package.json (other, 305 bytes) - repro/casl/.codeclimate.yml (other, 412 bytes) - repro/casl/.github/actions/setup-deps/action.yml (other, 1044 bytes) - repro/casl/.github/FUNDING.yml (other, 638 bytes) - repro/casl/.github/workflows/main.yml (other, 1789 bytes) - repro/casl/.github/workflows/docs.yml (other, 2522 bytes) - repro/casl/.github/workflows/release.yml (other, 1040 bytes) - repro/casl/.github/workflows/diff-package-lock.yml (other, 3285 bytes) - repro/casl/.github/ISSUE_TEMPLATE/bug_report.md (documentation, 1175 bytes) - repro/casl/.github/ISSUE_TEMPLATE/feature_request.md (documentation, 962 bytes) - repro/casl/README.md (documentation, 13901 bytes) - repro/casl/docs-src/index.html (other, 3169 bytes) - repro/casl/docs-src/tools/SearchIndex.js (other, 1194 bytes) - repro/casl/docs-src/tools/mdLink.cjs (other, 2373 bytes) - repro/casl/docs-src/tools/mdImage.cjs (other, 1015 bytes) - repro/casl/docs-src/tools/stop-words/ru.txt (other, 4537 bytes) - repro/casl/docs-src/tools/stop-words/en.txt (other, 3526 bytes) - repro/casl/docs-src/tools/stop-words/ua.txt (other, 4132 bytes) - repro/casl/docs-src/tools/prerender.js (other, 4276 bytes) - repro/casl/docs-src/tools/sitemap.xml.js (other, 5526 bytes) - repro/casl/docs-src/tools/mdTableContainer.cjs (other, 359 bytes) - repro/casl/docs-src/tools/contentParser.js (other, 1783 bytes) - repro/casl/docs-src/public/manifest.json (other, 415 bytes) - repro/casl/docs-src/public/global.css (other, 1075 bytes) - repro/casl/docs-src/public/fonts/StardosStencil-Bold.woff2 (other, 13836 bytes) - repro/casl/docs-src/public/fonts/StardosStencil-Regular.woff2 (other, 14840 bytes) - repro/casl/docs-src/public/web-root/robots.txt (other, 120 bytes) - repro/casl/docs-src/public/web-root/404.html (other, 2329 bytes) - repro/casl/docs-src/public/web-root/google4f1edd737abc76a4.html (other, 54 bytes) - repro/casl/docs-src/public/versions.txt (other, 57 bytes) - repro/casl/docs-src/public/app-icons/safari-pinned-tab.svg (other, 944 bytes) - repro/casl/docs-src/public/app-icons/android-chrome-192x192.png (other, 6417 bytes) - repro/casl/docs-src/public/app-icons/favicon-32x32.png (other, 890 bytes) - repro/casl/docs-src/public/app-icons/favicon-16x16.png (other, 561 bytes) - repro/casl/docs-src/public/app-icons/mstile-150x150.png (other, 3872 bytes) - repro/casl/docs-src/public/app-icons/favicon.ico (other, 15086 bytes) - repro/casl/docs-src/public/app-icons/apple-touch-icon.png (other, 5578 bytes) - repro/casl/docs-src/public/app-icons/android-chrome-256x256.png (other, 9484 bytes) - repro/casl/docs-src/package.json (other, 1256 bytes) - repro/casl/docs-src/src/content/app/en.yml (other, 2950 bytes) - repro/casl/docs-src/src/content/pages/api/casl-ability-extra/en.md (documentation, 6021 bytes) - repro/casl/docs-src/src/content/pages/api/casl-ability/en.md (documentation, 15923 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-abilitybuilder-conditions-hints.png (other, 62608 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-discriminated-class-subject.png (other, 10250 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-class-subject-with-name.png (other, 9592 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-class-subject.png (other, 15138 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-abilitybuilder-fields-hints.png (other, 16397 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/en.md (documentation, 11497 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-abilitybuilder.png (other, 10348 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-tagged-union-subject.png (other, 12716 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-subject-hints.png (other, 7700 bytes) - repro/casl/docs-src/src/content/pages/advanced/typescript/casl-action-hints.png (other, 6170 bytes) - repro/casl/docs-src/src/content/pages/advanced/debugging-testing/en.md (documentation, 7862 bytes) - repro/casl/docs-src/src/content/pages/advanced/customize-ability/en.md (documentation, 5882 bytes) - repro/casl/docs-src/src/content/pages/advanced/ability-inheritance/en.md (documentation, 241 bytes) - repro/casl/docs-src/src/content/pages/advanced/ability-to-database-query/en.md (documentation, 4531 bytes) - repro/casl/docs-src/src/content/pages/support-casljs/en.md (documentation, 1753 bytes) - repro/casl/docs-src/src/content/pages/notfound/en.md (documentation, 194 bytes) - repro/casl/docs-src/src/content/pages/guide/conditions-in-depth/en.md (documentation, 12158 bytes) - repro/casl/docs-src/src/content/pages/guide/subject-type-detection/en.md (documentation, 7704 bytes) - repro/casl/docs-src/src/content/pages/guide/intro/en.md (documentation, 17326 bytes) - repro/casl/docs-src/src/content/pages/guide/define-aliases/en.md (documentation, 3247 bytes) - repro/casl/docs-src/src/content/pages/guide/install/en.md (documentation, 8325 bytes) - repro/casl/docs-src/src/content/pages/guide/define-rules/en.md (documentation, 10089 bytes) - repro/casl/docs-src/src/content/pages/guide/restricting-fields/en.md (documentation, 8480 bytes) - repro/casl/docs-src/src/content/pages/package/casl-angular/en.md (documentation, 329 bytes) - repro/casl/docs-src/src/content/pages/package/casl-aurelia/en.md (documentation, 306 bytes) - repro/casl/docs-src/src/content/pages/package/casl-prisma/en.md (documentation, 342 bytes) - repro/casl/docs-src/src/content/pages/package/casl-mongoose/en.md (documentation, 345 bytes) - repro/casl/docs-src/src/content/pages/package/casl-vue/en.md (documentation, 309 bytes) - repro/casl/docs-src/src/content/pages/package/casl-react/en.md (documentation, 325 bytes) - repro/casl/docs-src/src/content/pages/cookbook/cache-rules/en.md (documentation, 7321 bytes) - repro/casl/docs-src/src/content/pages/cookbook/intro/en.md (documentation, 4525 bytes) - repro/casl/docs-src/src/content/pages/cookbook/roles-with-persisted-permissions/en.md (documentation, 16059 bytes) - repro/casl/docs-src/src/content/pages/cookbook/roles-with-static-permissions/en.md (documentation, 11807 bytes) - repro/casl/docs-src/src/content/pages/cookbook/less-confusing-can-api/en.md (documentation, 2407 bytes) - repro/casl/docs-src/src/content/pages/cookbook/claim-authorization/en.md (documentation, 3162 bytes) - repro/casl/docs-src/src/app.js (other, 1797 bytes) - repro/casl/docs-src/src/vite-env.d.ts (other, 830 bytes) - repro/casl/docs-src/src/partials/caslFeatures.js (other, 1007 bytes) - repro/casl/docs-src/src/components/AppHeader.js (other, 4224 bytes) - repro/casl/docs-src/src/components/Page.js (other, 2285 bytes) - repro/casl/docs-src/src/components/PagesByCategories.js (other, 1084 bytes) - repro/casl/docs-src/src/components/LangPicker.js (other, 687 bytes) - repro/casl/docs-src/src/components/AppNotification.js (other, 631 bytes) - repro/casl/docs-src/src/components/OneTimeDonations.js (other, 1950 bytes) - repro/casl/docs-src/src/components/VersionsSelect.js (other, 2281 bytes) - repro/casl/docs-src/src/components/PageNav.js (other, 1168 bytes) - repro/casl/docs-src/src/components/QuickSearch.js (other, 7541 bytes) - repro/casl/docs-src/src/components/AppRoot.js (other, 1822 bytes) - repro/casl/docs-src/src/components/GithubButton.js (other, 1016 bytes) - repro/casl/docs-src/src/components/HomePage.js (other, 2877 bytes) - repro/casl/docs-src/src/components/ArticleDetails.js (other, 1450 bytes) - repro/casl/docs-src/src/components/I18nElement.js (other, 685 bytes) - repro/casl/docs-src/src/components/AppMenu.js (other, 3354 bytes) - repro/casl/docs-src/src/components/App.js (other, 3465 bytes) - repro/casl/docs-src/src/components/AppFooter.js (other, 3628 bytes) - repro/casl/docs-src/src/components/MenuDrawer.js (other, 2980 bytes) - repro/casl/docs-src/src/components/AppLink.js (other, 2559 bytes) - repro/casl/docs-src/src/components/OldVersionAlert.js (other, 1397 bytes) - repro/casl/docs-src/src/serviceWorker.js (other, 2964 bytes) - repro/casl/docs-src/src/directives/i18n.js (other, 503 bytes) - repro/casl/docs-src/src/styles/md.js (other, 1821 bytes) - repro/casl/docs-src/src/styles/alert.js (other, 259 bytes) - repro/casl/docs-src/src/styles/code.js (other, 2011 bytes) - repro/casl/docs-src/src/styles/page.js (other, 460 bytes) - repro/casl/docs-src/src/styles/index.js (other, 266 bytes) - repro/casl/docs-src/src/styles/grid.js (other, 468 bytes) - repro/casl/docs-src/src/styles/btn.js (other, 659 bytes) - repro/casl/docs-src/src/hooks/watchMedia.js (other, 315 bytes) - repro/casl/docs-src/src/hooks/scrollToSection.js (other, 1333 bytes) - repro/casl/docs-src/src/bootstrap.js (other, 427 bytes) - repro/casl/docs-src/src/services/utils.js (other, 546 bytes) - repro/casl/docs-src/src/services/meta.js (other, 1954 bytes) - repro/casl/docs-src/src/services/content.js (other, 354 bytes) - repro/casl/docs-src/src/services/error.js (other, 116 bytes) - repro/casl/docs-src/src/services/version.js (other, 419 bytes) - repro/casl/docs-src/src/services/ContentType.js (other, 3647 bytes) - repro/casl/docs-src/src/services/pageController.js (other, 1893 bytes) - repro/casl/docs-src/src/services/http.js (other, 1771 bytes) - repro/casl/docs-src/src/services/router.js (other, 3103 bytes) - repro/casl/docs-src/src/services/querystring.js (other, 387 bytes) - repro/casl/docs-src/src/services/i18n.js (other, 1713 bytes) - repro/casl/docs-src/src/config/menu.yml (other, 1109 bytes) - repro/casl/docs-src/src/config/app.js (other, 99 bytes) - repro/casl/docs-src/src/config/search.js (other, 418 bytes) - repro/casl/docs-src/src/config/routes.yml (other, 937 bytes) - repro/casl/docs-src/.env (other, 172 bytes) - repro/casl/docs-src/.env.production (other, 123 bytes) - repro/casl/docs-src/.gitignore (other, 249 bytes) - repro/casl/docs-src/vite.config.js (other, 4726 bytes) - repro/casl/tsconfig.json (other, 245 bytes) - repro/casl/.renovaterc (other, 1478 bytes) - repro/casl/.release-please-manifest.json (other, 249 bytes) - repro/casl/CONTRIBUTING.md (documentation, 4695 bytes) - repro/casl/BACKERS.md (documentation, 1895 bytes) - repro/casl/.gitignore (other, 878 bytes) - repro/casl/git-hooks/pre-commit (other, 56 bytes) - repro/casl/git-hooks/.gitignore (other, 2 bytes) - repro/casl/pnpm-lock.yaml (other, 528917 bytes) - logs/variant3.log (log, 145 bytes) - logs/npm_install_current.log (log, 126 bytes) - logs/variant5.log (log, 150 bytes) - logs/variant8.log (log, 96 bytes) - logs/variant4.log (log, 201 bytes) - logs/variant7.log (log, 93 bytes) - logs/test_vulnerable.log (log, 186 bytes) - logs/npm_install_fixed.log (log, 137 bytes) - logs/variant2.log (log, 129 bytes) - logs/variant1.log (log, 129 bytes) - logs/npm_install_vuln.log (log, 221 bytes) - logs/variant6.log (log, 295 bytes) - logs/test_fixed.log (log, 203 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00097 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00097/artifacts/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00097 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev