CVE-2021-25949
Prototype Pollution vulnerability in set-getter (npm)
What is CVE-2021-25949 About?
This vulnerability in the 'set-getter' package (version 0.1.0) allows for prototype pollution. An attacker can modify the prototype of JavaScript objects, which may lead to denial of service or potentially remote code execution. Exploitation requires providing specific input that manipulates object properties.
Affected Software
Technical Details
The 'set-getter' package version 0.1.0 is susceptible to a prototype pollution vulnerability. This occurs when an attacker can inject or modify arbitrary properties on the Object.prototype. In JavaScript, almost all objects inherit from Object.prototype, so changes made to it propagate to all objects in the application. An attacker can craft input that, when processed by the set-getter library, adds or modifies properties on Object.prototype. This can lead to a variety of consequences: modifying built-in functions, causing program crashes (Denial of Service), or in certain contexts, enabling bypasses of security mechanisms or even remote code execution if combined with other vulnerabilities or sensitive code paths.
What is the Impact of CVE-2021-25949?
Successful exploitation may allow attackers to cause a denial of service and potentially lead to remote code execution.
What is the Exploitability of CVE-2021-25949?
Exploitation complexity is moderate, requiring an attacker to craft specific input that, when processed by the 'set-getter' library, allows for prototype modification. No authentication is required if the application processes untrusted input that interacts with 'set-getter'. This can be a remote attack vector. The primary prerequisite is the use of the vulnerable set-getter version in a context where user-controlled input is processed. The risk of remote code execution is context-dependent and typically requires chaining with other vulnerabilities or specific application logic that relies on affected prototype properties.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25949?
About the Fix from Resolved Security
This patch prevents property keys like proto, constructor, and prototype from being set on objects, which blocks prototype pollution attacks. By filtering out these dangerous keys, it fixes CVE-2021-25949 by ensuring malicious input cannot modify the global Object prototype and compromise application security.
Available Upgrade Options
- set-getter
- <0.1.1 → Upgrade to 0.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-25949
- https://github.com/doowb/set-getter
- https://web.archive.org/web/20210615022308/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25949
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25949
- https://github.com/doowb/set-getter/blob/5bc2750fe1c3db9651d936131be187744111378d/index.js#L56
- https://osv.dev/vulnerability/GHSA-jv35-xqg7-f92r
- https://github.com/doowb/set-getter/commit/66eb3f0d4686a4a8c7c3d6f7ecd8e570b580edc4
- https://github.com/doowb/set-getter/blob/5bc2750fe1c3db9651d936131be187744111378d/index.js#L56
What are Similar Vulnerabilities to CVE-2021-25949?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-7699 , CVE-2020-7794 , CVE-2020-28460 , CVE-2020-13982
