Login Sign Up

CVE-2021-21414

7.7 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-21414 is an OS command injection vulnerability in Prisma's @prisma/sdk package that could allow remote code execution if the vulnerable getPackedPackage function is called with untrusted input. Only users who directly call this internal function are affected, as it's primarily used for testing and CLI building purposes.

💻 Affected Systems

Products:
  • Prisma ORM
  • @prisma/sdk package
Versions: Versions prior to 2.20.0
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ✅ No
Notes: Only affects users who directly call the getPackedPackage function with untrusted input. The function is internal and not part of Prisma's public API.

📦 What is this software?

Prisma by Prisma

View all CVEs affecting Prisma →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application process, potentially leading to complete system compromise.

🟠

Likely Case

Limited impact since the vulnerable function is internal and not exposed in typical usage patterns.

🟢

If Mitigated

No impact if the vulnerable function is not called with untrusted input or if input validation is implemented.

🌐 Internet-Facing: LOW - The vulnerable function is internal and not typically exposed to external interfaces.
🏢 Internal Only: MEDIUM - Could be exploited if internal applications call the vulnerable function with untrusted data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires calling the vulnerable internal function with malicious input, which is not typical in standard Prisma usage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0 and later

Vendor Advisory: https://github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7

Restart Required: Yes

Instructions:

1. Update @prisma/sdk to version 2.20.0 or later. 2. Update Prisma CLI to version 2.20.0 or later. 3. Restart any running applications using Prisma.

🔧 Temporary Workarounds

Input validation

all

Implement strict input validation for any calls to getPackedPackage function

Avoid untrusted input

all

Ensure getPackedPackage function is not called with user-controlled or untrusted data

🧯 If You Can't Patch

  • Review codebase for any calls to getPackedPackage function and ensure they don't use untrusted input
  • Implement network segmentation to limit potential impact if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Check if @prisma/sdk version is below 2.20.0 and if code calls getPackedPackage with untrusted input

Check Version:

npm list @prisma/sdk

Verify Fix Applied:

Verify @prisma/sdk version is 2.20.0 or higher and review code for getPackedPackage usage

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Node.js applications
  • Suspicious command execution patterns

Network Indicators:

  • Unexpected outbound connections from application servers

SIEM Query:

process.name:node AND (process.cmdline:*getPackedPackage* OR process.cmdline:*prisma*)

📊 Metadata

CVE ID: CVE-2021-21414
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-78
Published: April 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21414, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)