CVE-2021-4279
Prototype Pollution vulnerability in fast-json-patch (npm)
What is CVE-2021-4279 About?
This vulnerability is a prototype pollution flaw found in Starcounter-Jack JSON-Patch up to 3.1.0. It allows an attacker to improperly modify object prototype attributes, which can lead to unpredictable behavior, bypass security checks, or potentially achieve remote code execution. Exploitation is relatively easy and can be initiated remotely.
Affected Software
Technical Details
The prototype pollution vulnerability in Starcounter-Jack JSON-Patch up to 3.1.0 stems from its improper handling of JSON patch operations, specifically when processing paths that include __proto__ or constructor.prototype. An attacker can craft a malicious JSON patch that, when applied, injects or modifies properties on the global Object.prototype. Since most JavaScript objects inherit from Object.prototype, adding properties there effectively adds them to all objects. This can subvert application logic, bypass security checks (e.g., by changing a isAdmin flag on the prototype), or in some contexts, lead to remote code execution by overwriting methods like toString that are called implicitly by the application.
What is the Impact of CVE-2021-4279?
Successful exploitation may allow attackers to improperly modify global object prototype attributes, leading to unpredictable application behavior, security bypasses, or arbitrary code execution.
What is the Exploitability of CVE-2021-4279?
Exploitation of this prototype pollution vulnerability is of low complexity. It requires an attacker to be able to supply specially crafted JSON input that is then processed by the vulnerable Starcounter-Jack JSON-Patch library. There are no specific authentication or privilege requirements mentioned. The attack can be initiated remotely, meaning the attacker does not need local access to the system. The primary constraint is the application's use of the vulnerable library to process untrusted JSON patches. The public disclosure of the exploit increases the likelihood of attack, making it a critical risk if the affected component is not upgraded.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-4279?
Available Upgrade Options
- fast-json-patch
- <3.1.1 → Upgrade to 3.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://blog.effectrenan.com/pwn2win-2021-illusion-web-challenge
- https://github.com/Starcounter-Jack/JSON-Patch/commit/7ad6af41eabb2d799f698740a91284d762c955c9
- https://www.huntr.dev/bounties/1-npm-fast-json-patch
- https://github.com/Starcounter-Jack/JSON-Patch
- https://github.com/Starcounter-Jack/JSON-Patch/releases/tag/3.1.1
- https://vuldb.com/?ctiid.216778
- https://nvd.nist.gov/vuln/detail/CVE-2021-4279
- https://github.com/Starcounter-Jack/JSON-Patch/commit/7ad6af41eabb2d799f698740a91284d762c955c9
- https://vuldb.com/?id.216778
- https://osv.dev/vulnerability/GHSA-8gh8-hqwg-xf34
What are Similar Vulnerabilities to CVE-2021-4279?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-28468 , CVE-2020-7712 , CVE-2020-7713 , CVE-2023-45133
