CVE-2022-21231
Prototype Pollution vulnerability in deep-get-set (npm)
What is CVE-2022-21231 About?
This vulnerability in the 'deep-get-set' package allows for Prototype Pollution via the 'deep' function, enabling attackers to inject arbitrary properties into JavaScript object prototypes. This can lead to denial of service, remote code execution, or property manipulation in applications using the affected package. Exploitation is relatively straightforward due to the nature of Prototype Pollution, often requiring careful construction of input data.
Affected Software
Technical Details
This Prototype Pollution vulnerability affects all versions of the 'deep-get-set' package and is found within its 'deep' function. It is explicitly noted as an incomplete fix for a previous vulnerability, CVE-2020-7715. Prototype Pollution occurs when a JavaScript application allows an attacker to control or inject properties into standard JavaScript object prototypes (e.g., Object.prototype). By manipulating the 'deep' function's input, an attacker can leverage paths that include __proto__ or constructor.prototype to add or modify properties on the global Object.prototype. Once a property is added to Object.prototype, it will be inherited by all objects in the application, leading to a wide range of potential impacts such as denial of service (e.g., overriding critical functions), arbitrary code execution (if combined with other vulnerabilities), or data tampering/privilege escalation (by overriding security-critical properties).
What is the Impact of CVE-2022-21231?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service, remote code execution, or property manipulation across the application.
What is the Exploitability of CVE-2022-21231?
Exploitation of this Prototype Pollution vulnerability is typically of moderate complexity, depending on the application's specific usage of the 'deep' function and how it processes user input. Attackers need to supply specially crafted input that, when processed by the 'deep' function, targets __proto__ or constructor.prototype to inject malicious properties. There are usually no specific authentication or privilege requirements to trigger this, as it often relies on data input mechanisms. The attack can be remote if the application exposes an API endpoint that processes user-controlled data using the vulnerable function. Special conditions might involve the application not sanitizing or validating user input sufficiently. Risk factors that increase exploitation likelihood include applications directly using user-supplied JSON or form data with the vulnerable package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21231?
About the Fix from Resolved Security
This patch extends key checks in the isSafeKey function to prevent array-based paths from accessing proto, blocking attempts to bypass prototype pollution protections with arrays. By ensuring keys like ['proto'] are also rejected and not just string "proto", it effectively fixes CVE-2022-21231, which exploited the omission to pollute Object.prototype via non-string input.
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2022-21231?
Similar Vulnerabilities: CVE-2020-7715 , CVE-2019-10744 , CVE-2020-28284 , CVE-2021-23395 , CVE-2021-23424
