CVE-2021-26707
prototype-pollution vulnerability in merge-deep (npm)
What is CVE-2021-26707 About?
This vulnerability in the merge-deep library allows for prototype-pollution attacks in Node.js applications. Attackers can overwrite properties of Object.prototype, leading to widespread impact across the application. Exploitation is relatively easy once an attacker can provide malicious input to the merge-deep function.
Affected Software
Technical Details
The merge-deep library before version 3.0.3 for Node.js fails to properly handle certain input, allowing an attacker to inject and overwrite properties of Object.prototype or add new properties to it. When an application uses this library, any modifications to Object.prototype are then inherited by every other object in the program. This facilitates prototype-pollution attacks, where malicious properties or methods can be introduced into all objects, potentially altering application logic, leading to data manipulation, or denial of service.
What is the Impact of CVE-2021-26707?
Successful exploitation may allow attackers to alter object prototypes globally, leading to arbitrary code execution, denial of service, or unauthorized data modification within the application.
What is the Exploitability of CVE-2021-26707?
Exploitation involves crafting malicious input that the affected library processes. The complexity is low, primarily requiring an attacker to control data passed to the merge-deep function. There are no specific authentication or privilege requirements to trigger the vulnerability, as it depends on how user-controlled data is handled by the application. This is typically a remote vulnerability, relying on an application processing external input. The primary risk factor is the application's reliance on the vulnerable merge-deep library and its failure to sanitize or validate input before merging it.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-26707?
About the Fix from Resolved Security
This patch updates a JavaScript object merging function to block not only the dangerous key '__proto__' but also 'constructor' and 'prototype' by using an isValidKey check. This prevents prototype pollution, which could allow attackers to manipulate the object prototype and potentially execute arbitrary code or alter application behavior, thus addressing CVE-2021-26707.
Available Upgrade Options
- merge-deep
- <3.0.3 → Upgrade to 3.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/package/merge-deep
- https://www.npmjs.com/package/merge-deep
- https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
- https://security.netapp.com/advisory/ntap-20210716-0008
- https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5
- https://nvd.nist.gov/vuln/detail/CVE-2021-26707
- https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/
- https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5
- https://security.netapp.com/advisory/ntap-20210716-0008/
- https://osv.dev/vulnerability/GHSA-r6rj-9ch6-g264
What are Similar Vulnerabilities to CVE-2021-26707?
Similar Vulnerabilities: CVE-2021-23413 , CVE-2020-28282 , CVE-2020-7798 , CVE-2019-10744 , CVE-2018-3721
