CVE-2021-43138
Privilege Escalation vulnerability in async (npm)
What is CVE-2021-43138 About?
A vulnerability in Async through 3.2.1 (3.x) and 2.6.3 (2.x) allows a malicious user to obtain elevated privileges. This occurs via the `mapValues()` method, which can be improperly used to gain unauthorized access. Exploitation likely requires specific crafting of input to this method.
Affected Software
- async
- >2.0.0, <2.6.4
- >3.0.0, <3.2.2
Technical Details
The vulnerability exists in the Async library, specifically affecting versions up to 3.2.1 for the 3.x branch and up to 2.6.3 for the 2.x branch (fixed in 3.2.2 and 2.6.4). The core issue lies within the mapValues() method. While the description is concise, 'obtaining privileges' via a method often implies that the method either fails to properly sanitize or validate input, or it implicitly trusts certain aspects of the input. A malicious user can likely craft specific input that, when processed by mapValues(), leads to unintended execution paths or modifications of internal state that allow for privilege escalation. This could involve manipulating values that get mapped to sensitive operations or data structures, thereby granting unauthorized access or control.
What is the Impact of CVE-2021-43138?
Successful exploitation may allow attackers to escalate privileges within the application, gaining access to sensitive data or performing unauthorized actions.
What is the Exploitability of CVE-2021-43138?
Exploitation complexity is likely moderate to high, as it requires a detailed understanding of the mapValues() method's implementation and how it processes input. An attacker would need the ability to provide specific, crafted input to this method. There are no explicit authentication requirements, but the ability to call the mapValues() method implies at least some level of interaction with the application. Elevated privileges are the goal of the exploit, so initial privileges can be low. This could potentially be a remote or local exploit depending on how the application exposes calls to mapValues() to user input. Special conditions often involve specific data structures or input formats that trigger the privilege escalation. The likelihood of exploitation increases if the application extensively uses mapValues() with untrusted internal data or user-supplied input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43138?
About the Fix from Resolved Security
The patch skips the object key proto during iteration, preventing it from being accessed or manipulated. This mitigates the risk of prototype pollution, which is the vulnerability addressed by CVE-2021-43138, where an attacker could inject properties into Object.prototype, potentially leading to denial of service or arbitrary code execution.
Available Upgrade Options
- async
- >2.0.0, <2.6.4 → Upgrade to 2.6.4
- async
- >3.0.0, <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3
- https://github.com/caolan/async/pull/1828
- https://github.com/caolan/async/pull/1828
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://jsfiddle.net/oz5twjd9
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://github.com/caolan/async/blob/master/lib/internal/iterator.js
What are Similar Vulnerabilities to CVE-2021-43138?
Similar Vulnerabilities: CVE-2023-44474 , CVE-2023-40156 , CVE-2023-39328 , CVE-2023-39327 , CVE-2023-39326
