Where Severity Scores Go Wrong: “Just Add Prototype Pollution”
JFrog's security research team examines how CVSS severity scores can overstate real-world risk, using a wave of 10 Axios CVEs as a case study. All these vulnerabilities share a critical prerequisite: they require a pre-existing prototype pollution vulnerability in the same JavaScript runtime to be exploitable. A proof-of-concept chains a known Lodash prototype pollution flaw (CVE-2019-10744) with an Axios proxy injection gadget to demonstrate a full Man-in-the-Middle attack — but only when both conditions are present simultaneously. JFrog found that NVD rated some of these as CRITICAL while their own contextual analysis rated them LOW or MEDIUM. The post argues that gadget-style vulnerabilities are routinely over-scored because scoring systems evaluate theoretical maximum impact rather than realistic exploitation prerequisites. Organizations are advised to treat CVSS as a starting point and apply contextual analysis before prioritizing remediation.