CVE-2021-44906
Prototype Pollution vulnerability in minimist (npm)
What is CVE-2021-44906 About?
This vulnerability is a Prototype Pollution flaw in Minimist versions prior to 1.2.6 and 0.2.4. It allows an attacker to inject arbitrary properties into JavaScript object prototypes, which can lead to various security issues such as remote code execution or denial of service. Exploitation is typically straightforward for an attacker who can control input parameters.
Affected Software
- minimist
- <0.2.4
- >1.0.0, <1.2.6
Technical Details
The vulnerability resides in the setKey() function (lines 69-95) of the index.js file within the Minimist library. Prototype Pollution occurs when an attacker can modify the __proto__ property of an object, directly or indirectly, allowing them to add or alter properties on Object.prototype. Since most JavaScript objects inherit from Object.prototype, properties added here become accessible to virtually all objects. In setKey(), if an attacker can supply input that constructs a key path containing __proto__, they can manipulate the global Object.prototype, introducing new properties or overwriting existing ones. This enables attacks like property injection for bypassing security checks, altering application logic, or executing arbitrary code if coupled with other vulnerabilities like gadget chains or unsafe deserialization.
What is the Impact of CVE-2021-44906?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to various consequences such as remote code execution, denial of service, or property overwrites affecting application logic and security controls.
What is the Exploitability of CVE-2021-44906?
Exploitation of this Prototype Pollution vulnerability is typically of medium complexity, requiring the attacker to control input that is processed by the vulnerable setKey() function. There are no explicit authentication or privilege requirements mentioned, suggesting it can often be exploited by an unauthenticated attacker if they can provide crafted input to an application using the vulnerable library. This is generally a remote vulnerability, as input often comes from network requests. The primary constraint is the application's use of Minimist in a way that processes attacker-controlled input and the existence of a suitable gadget chain for achieving a more severe impact like RCE. Risk factors include applications parsing command-line arguments or configuration files from untrusted sources using Minimist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| nevermoe | Link | PoC for CVE-2021-44906 |
What are the Available Fixes for CVE-2021-44906?
About the Fix from Resolved Security
This patch extends the mitigation against prototype pollution by additionally blocking assignment to the constructor property, not just proto. This better addresses CVE-2021-44906 by preventing attackers from exploiting both proto and constructor keys to manipulate object prototypes, which could lead to arbitrary code execution or denial of service.
Available Upgrade Options
- minimist
- <0.2.4 → Upgrade to 0.2.4
- minimist
- >1.0.0, <1.2.6 → Upgrade to 1.2.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://nvd.nist.gov/vuln/detail/CVE-2021-44906
- https://github.com/minimistjs/minimist/pull/24
- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h
- https://github.com/substack/minimist/blob/master/index.js#L69
- https://github.com/minimistjs/minimist/issues/11
What are Similar Vulnerabilities to CVE-2021-44906?
Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7798 , CVE-2020-28189 , CVE-2021-23343 , CVE-2021-23425
