CVE-2021-3918
Improperly Controlled Modification of Object Prototype Attributes vulnerability in json-schema (npm)
What is CVE-2021-3918 About?
This vulnerability, classified as Prototype Pollution, affects the json-schema package before version 0.4.0. It allows an attacker to inject or modify properties of the `Object.prototype`, which can lead to various security issues such as remote code execution or denial of service by affecting all objects in a JavaScript application. Exploiting this vulnerability can be straightforward if an attacker can control object keys merged by the vulnerable package.
Affected Software
Technical Details
The json-schema package, prior to version 0.4.0, is vulnerable to Prototype Pollution. This type of vulnerability occurs when a program allows attackers to control or inject properties into Object.prototype (or other fundamental prototypes). Typically, this happens when unsafe recursive merge or assignment operations are performed on objects where the keys can be user-controlled. If an attacker can provide input like __proto__ or constructor.prototype as a key, and assign a value to it, that property will be added to Object.prototype, affecting all objects in the application. This can lead to overwriting crucial methods, introducing new properties that alter program logic, or even triggering arbitrary code execution depending on how the application processes object properties.
What is the Impact of CVE-2021-3918?
Successful exploitation may allow attackers to inject arbitrary properties into the `Object.prototype`, leading to denial of service, remote code execution, unexpected application behavior, or information disclosure, compromising the application's integrity and confidentiality.
What is the Exploitability of CVE-2021-3918?
Exploitation typically involves providing specially crafted JSON input that contains __proto__ or constructor.prototype as a key during an object merge or assignment operation within an application using the vulnerable json-schema package. The complexity depends on the application's data flow, but often requires only a malicious input. Authentication requirements are dependent on whether the input mechanism is authenticated or public. Privilege requirements are low. This is primarily a remote access vulnerability if the application exposes an API that processes user-controlled JSON input. Special conditions include the application using json-schema to process untrusted data. Risk factors increasing exploitation likelihood include applications that merge or extend objects based on user-controlled data without proper sanitization or validation of property names.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3918?
About the Fix from Resolved Security
Available Upgrade Options
- json-schema
- <0.4.0 → Upgrade to 0.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html
- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
- https://nvd.nist.gov/vuln/detail/CVE-2021-3918
- https://security.netapp.com/advisory/ntap-20250117-0004
- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html
- https://github.com/kriszyp/json-schema
- https://osv.dev/vulnerability/GHSA-896r-f27r-55mw
What are Similar Vulnerabilities to CVE-2021-3918?
Similar Vulnerabilities: CVE-2021-3805 , CVE-2020-28283 , CVE-2020-28282 , CVE-2020-28281 , CVE-2020-28280
