CVE-2022-21213
Prototype Pollution vulnerability in mout (npm)
What is CVE-2022-21213 About?
This vulnerability is an incomplete fix for CVE-2020-7792 in the 'mout' package's `deepFillIn` and `deepMixIn` functions. It allows Prototype Pollution due to unchecked keys, enabling an attacker to inject arbitrary properties into JavaScript object prototypes. Exploitation involves crafting specific object structures and is of moderate complexity.
Affected Software
Technical Details
This vulnerability in all versions of the 'mout' package stems from an insufficient fix for CVE-2020-7792, specifically affecting the deepFillIn and deepMixIn functions. Both functions are designed to recursively merge or fill properties of objects. However, during their recursive traversal, the key used to access and set properties on target objects is not properly validated or sanitized. An attacker can provide a source object containing a specially crafted key, such as __proto__ or constructor.prototype, which allows them to bypass the intended object scope. When the vulnerable function attempts to set a property using this malicious key, it can inject or modify properties on the global Object.prototype, affecting all JavaScript objects within the application's environment. This is known as Prototype Pollution, allowing arbitrary property injection and potential code execution depending on the polluted property.
What is the Impact of CVE-2022-21213?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service, privilege escalation, or remote code execution.
What is the Exploitability of CVE-2022-21213?
Exploitation of this Prototype Pollution vulnerability is of moderate complexity. An attacker needs to provide a carefully crafted input object that will be processed by either the deepFillIn or deepMixIn functions. This crafted input will include a malicious key like __proto__ to inject properties into the global Object.prototype. The specific authentication and privilege requirements depend entirely on how the mout package is used within the application; if user input directly or indirectly influences arguments to these functions, then no authentication might be needed. This can be a remote attack if the malicious input can be delivered over a network (e.g., via JSON APIs). Special conditions include the application relying on the mout package's merging functionalities with untrusted inputs. The risk factors that increase exploit likelihood are the direct exposure of these functions to user-controlled data structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21213?
About the Fix from Resolved Security
This patch prevents properties like "proto", "prototype", and "constructor" from being set on objects, mitigating prototype pollution by checking for these key names before assignment. By blocking these dangerous properties, it fixes CVE-2022-21213, which could otherwise allow attackers to modify an object's prototype chain, leading to security issues.
Available Upgrade Options
- mout
- <1.2.4 → Upgrade to 1.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2870622
- https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64
- https://nvd.nist.gov/vuln/detail/CVE-2022-21213
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
- https://snyk.io/vuln/SNYK-JS-MOUT-2342654
- https://github.com/mout/mout
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2870623
- https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
What are Similar Vulnerabilities to CVE-2022-21213?
Similar Vulnerabilities: CVE-2020-7792 , CVE-2020-28285 , CVE-2020-28499 , CVE-2021-23381 , CVE-2022-24874
