Login Sign Up

CVE-2021-23329

7.5 HIGH

📋 TL;DR

This vulnerability in the nested-object-assign npm package allows attackers to modify JavaScript object prototypes through prototype pollution. This can lead to denial of service, remote code execution, or privilege escalation in applications using this library. Any Node.js application using vulnerable versions of this package is affected.

💻 Affected Systems

Products:
  • nested-object-assign npm package
Versions: All versions before 1.0.4
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application importing and using the vulnerable default function from nested-object-assign is affected.

📦 What is this software?

Nested Object Assign by Getadigital

View all CVEs affecting Nested Object Assign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Denial of service, application crashes, or unauthorized modification of application behavior through prototype pollution.

🟢

If Mitigated

Limited impact if input validation and sanitization are properly implemented, though prototype pollution risks remain.

🌐 Internet-Facing: HIGH - Web applications using this package could be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept code is publicly available and exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4

Vendor Advisory: https://github.com/Geta/NestedObjectAssign/pull/11

Restart Required: Yes

Instructions:

1. Update package.json to require nested-object-assign version 1.0.4 or higher. 2. Run 'npm update nested-object-assign' or 'yarn upgrade nested-object-assign'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation and sanitization for all user-controlled objects before passing to nested-object-assign functions.

🧯 If You Can't Patch

  • Remove or replace nested-object-assign with alternative object merging libraries
  • Implement strict Content Security Policy and input validation controls

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for nested-object-assign version. If version is below 1.0.4, you are vulnerable.

Check Version:

npm list nested-object-assign

Verify Fix Applied:

Verify nested-object-assign version is 1.0.4 or higher in package.json and node_modules/nested-object-assign/package.json.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual object property modifications
  • Prototype pollution attempts in logs

Network Indicators:

  • HTTP requests with specially crafted JSON payloads targeting object merging endpoints

SIEM Query:

source="application_logs" AND ("prototype pollution" OR "nested-object-assign" OR "CVE-2021-23329")

📊 Metadata

CVE ID: CVE-2021-23329
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: January 31, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23329, you might also want to check these:

CVE-2020-12079 10.0

CVE-2020-12079 is a critical sandbox escape vulnerability in Beaker Browser versions before 0.8.9 th...

Same vulnerability type (CWE-1321)
CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)