CVE-2021-23329
Prototype Pollution vulnerability in nested-object-assign (npm)
What is CVE-2021-23329 About?
The 'nested-object-assign' package before version 1.0.4 is vulnerable to Prototype Pollution. This allows attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to various security issues like remote code execution or denial of service. Exploitation is of moderate complexity, requiring interaction with the vulnerable function.
Affected Software
Technical Details
The vulnerability stems from an improper handling of property assignments within the default function of the 'nested-object-assign' package. When an attacker can control the keys or properties passed to this function, they can leverage specially constructed keys (e.g., __proto__ or constructor.prototype) to inject or modify properties on the Object.prototype. Since Object.prototype is inherited by all JavaScript objects, adding or modifying properties there can lead to pervasive effects across the application, potentially allowing for privilege escalation, remote code execution in specific contexts, or denial of service by corrupting application logic. This is typically achieved by passing a malicious path like __proto__.maliciousProperty to the vulnerable function.
What is the Impact of CVE-2021-23329?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to potential remote code execution by overwriting critical functions, denial of service through application crashes, or information disclosure by manipulating data structures.
What is the Exploitability of CVE-2021-23329?
Exploiting Prototype Pollution typically requires an attacker to supply specially crafted input to an application that uses the vulnerable 'nested-object-assign' package. The complexity of exploitation is moderate, as it depends on whether the application processes user input in a way that directly or indirectly calls the vulnerable merge function. Prerequisites include user-controlled input being passed to the default function of the package. There are no direct authentication or privilege requirements to trigger the vulnerability itself, but the impact and ease of achieving a higher-level compromise (like RCE) depend on the application's overall structure and how it handles modified prototypes. It can be a remote attack if the application processes untrusted input from a network. Risk factors include applications that heavily rely on object merging or deep cloning of user-supplied data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23329?
Available Upgrade Options
- nested-object-assign
- <1.0.4 → Upgrade to 1.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Geta/NestedObjectAssign/pull/11
- https://www.npmjs.com/package/nested-object-assign
- https://nvd.nist.gov/vuln/detail/CVE-2021-23329
- https://github.com/Geta/NestedObjectAssign/pull/11
- https://osv.dev/vulnerability/GHSA-c497-v8pv-ch6x
- https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977
- https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977
What are Similar Vulnerabilities to CVE-2021-23329?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-28280 , CVE-2020-28279 , CVE-2020-7760 , CVE-2020-7754
