Login Sign Up

CVE-2021-20087

8.8 HIGH

📋 TL;DR

CVE-2021-20087 is a prototype pollution vulnerability in jquery-deparam 0.5.1 that allows attackers to inject properties into Object.prototype. This can lead to various security issues including denial of service, remote code execution, or privilege escalation. Applications using this vulnerable library for parsing URL parameters are affected.

💻 Affected Systems

Products:
  • jquery-deparam
Versions: Version 0.5.1 specifically
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using jquery-deparam 0.5.1 for parsing URL parameters is vulnerable by default.

📦 What is this software?

Jquery Deparam by Acemetrix

View all CVEs affecting Jquery Deparam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application instability, or privilege escalation within the application context.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially causing only application errors.

🌐 Internet-Facing: HIGH - Web applications using this library for URL parameter parsing are directly exposed to attack.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted URL parameters to applications using the vulnerable library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.2 and later

Vendor Advisory: https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/jquery-deparam.md

Restart Required: No

Instructions:

1. Update jquery-deparam to version 0.5.2 or later. 2. Update package.json to specify ^0.5.2. 3. Run npm update jquery-deparam. 4. Test application functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for URL parameters before passing to jquery-deparam

Use alternative library

all

Replace jquery-deparam with a secure alternative like qs or URLSearchParams

npm uninstall jquery-deparam
npm install qs

🧯 If You Can't Patch

  • Implement WAF rules to block requests with suspicious parameter patterns
  • Isolate affected applications behind reverse proxies with strict input filtering

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for jquery-deparam version 0.5.1

Check Version:

npm list jquery-deparam

Verify Fix Applied:

Verify jquery-deparam version is 0.5.2 or later in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

  • Unusual parameter patterns in URL logs
  • Application errors related to object property access

Network Indicators:

  • Requests with specially crafted __proto__ or constructor parameters

SIEM Query:

url:*__proto__* OR url:*constructor* OR parameters:*__proto__*

📊 Metadata

CVE ID: CVE-2021-20087
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: April 23, 2021
Last Updated: August 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20087, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)