CVE-2021-23413
Prototype Pollution vulnerability in jszip (npm)
What is CVE-2021-23413 About?
This vulnerability impacts the jszip package before version 3.7.0, enabling Prototype Pollution attacks. Attackers can craft malicious zip files with specific filenames, leading to a modified prototype instance within the application. Exploitation is straightforward, requiring the application to process a specially crafted zip file.
Affected Software
- jszip
- >3.0.0, <3.7.0
- <2.7.0
Technical Details
The jszip package before 3.7.0 is susceptible to a Prototype Pollution vulnerability. An attacker can create a zip file where filenames are set to reserved Object prototype values such as __proto__, constructor, or toString. When the package processes this crafted zip file, it inadvertently modifies the global Object.prototype instance. This leads to a returned object having a manipulated prototype chain, allowing an attacker to introduce arbitrary properties or methods that are then inherited by all objects in the system, potentially altering application behavior or leading to further compromise.
What is the Impact of CVE-2021-23413?
Successful exploitation may allow attackers to corrupt object prototypes, leading to unexpected application behavior, denial of service, or potentially arbitrary code execution within the environment.
What is the Exploitability of CVE-2021-23413?
Exploiting this vulnerability is of low to medium complexity, requiring an attacker to create a specially crafted zip file. There are no authentication or specific privilege requirements beyond the ability to provide a malicious zip file to an application that utilizes the affected jszip package. This is typically a remote attack vector, as the attacker delivers the malicious archive. The primary condition for exploitation is the application processing the attacker-controlled zip file data. Risk factors increase if the application automatically extracts or reads metadata from untrusted zip archives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23413?
Available Upgrade Options
- jszip
- <2.7.0 → Upgrade to 2.7.0
- jszip
- >3.0.0, <3.7.0 → Upgrade to 3.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-23413
- https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88
- https://github.com/Stuk/jszip/pull/766
- https://snyk.io/vuln/SNYK-JS-JSZIP-1251497
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499
- https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36
- https://github.com/Stuk/jszip
- https://snyk.io/vuln/SNYK-JS-JSZIP-1251497
What are Similar Vulnerabilities to CVE-2021-23413?
Similar Vulnerabilities: CVE-2021-26707 , CVE-2020-28282 , CVE-2020-7798 , CVE-2019-10744 , CVE-2018-3721
