CVE-2021-3805
Improperly Controlled Modification of Object Prototype Attributes vulnerability in object-path (npm)

Improperly Controlled Modification of Object Prototype Attributes No known exploit Fixable By Resolved Security

What is CVE-2021-3805 About?

This vulnerability is a Prototype Pollution flaw in the `object-path` package, where the `del()` function fails to validate which object properties it deletes. This allows attackers to modify or delete properties on `Object.prototype`, affecting all objects in the application. This can lead to denial of service, unexpected behavior, or even remote code execution. Exploitation is straightforward if an attacker can control the path used with the `del()` function.

Affected Software

object-path <0.11.8

Technical Details

The object-path package is vulnerable to Prototype Pollution, specifically through its del() function. This function is intended to delete properties from an object based on a provided path. However, it lacks proper validation to prevent deletion of properties from Object.prototype (or other intrinsic prototypes) if the path provided is crafted to point to __proto__ or constructor.prototype. An attacker can specify a path like __proto__.someProperty or constructor.prototype.anotherProperty. When del() attempts to remove someProperty or anotherProperty, it will operate on Object.prototype, either deleting a legitimate property or one previously set by the attacker. This can disrupt application logic, cause crashes (Denial of Service), or facilitate further attacks like remote code execution if the application later relies on or processes properties from Object.prototype.

What is the Impact of CVE-2021-3805?

Successful exploitation may allow attackers to delete arbitrary properties from `Object.prototype`, leading to denial of service, unexpected application behavior, or remote code execution, compromising the application's integrity and availability.

What is the Exploitability of CVE-2021-3805?

Exploitation involves providing a specially crafted path, such as __proto__.someProperty, to the del() function of object-path. This is a low complexity attack if the attacker can control the path argument. No authentication is typically required if the input mechanism is publicly accessible. Privilege requirements are low for the attacker. This is a remote access vulnerability if the application exposes a feature that uses object-path.del() with user-controlled input. Special conditions include the application processing untrusted input that is then used as a path in object-path.del(). Risk factors increasing exploitation likelihood include applications that dynamically delete object properties based on unchecked user input, especially within JSON or similar data structures.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-3805?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

This patch prevents property deletion from special object keys like proto, constructor, and prototype, which stops prototype pollution attacks, thereby fixing CVE-2021-3805. By adding a check to return early if one of these dangerous keys is encountered, the patch ensures that attackers cannot use crafted property paths to tamper with JavaScript object prototypes and affect global object behavior.

Available Upgrade Options

  • object-path
    • <0.11.8 → Upgrade to 0.11.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-3805?

Similar Vulnerabilities: CVE-2021-3918 , CVE-2020-28283 , CVE-2020-28282 , CVE-2020-28281 , CVE-2020-28280

All Rights reserved 2025
Privacy Policy