CVE-2021-23373
📋 TL;DR
CVE-2021-23373 is a prototype pollution vulnerability in the set-deep-prop npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. Any application using this package is affected, particularly Node.js applications that process untrusted user input.
💻 Affected Systems
- set-deep-prop npm package
📦 What is this software?
Set Deep Prop by Set Deep Prop Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Denial of service through application crashes or unexpected behavior, potentially leading to data corruption.
If Mitigated
Limited impact if input validation and sanitization are properly implemented, restricting prototype pollution vectors.
🎯 Exploit Status
Prototype pollution exploits are well-documented and relatively easy to weaponize given the right conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0.1 or later
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-SETDEEPPROP-1083231
Restart Required: Yes
Instructions:
1. Update package.json to use set-deep-prop version 1.0.1 or higher. 2. Run 'npm update set-deep-prop'. 3. Restart the application to load the patched version.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to prevent prototype pollution by sanitizing user-controlled objects before passing to set-deep-prop.
Use Object.freeze() on prototypes
allFreeze Object.prototype and other critical prototypes to prevent modification.
Object.freeze(Object.prototype);
Object.freeze(Object.prototype.__proto__);
🧯 If You Can't Patch
- Remove or replace set-deep-prop with alternative libraries that don't have prototype pollution issues.
- Implement strict Content Security Policies and network segmentation to limit potential damage from exploitation.
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for set-deep-prop version. Versions below 1.0.1 are vulnerable.Check Version:
npm list set-deep-propVerify Fix Applied:
Verify set-deep-prop version is 1.0.1 or higher in package.json and that the application loads this version.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes
- Unusual prototype modifications in error logs
- Suspicious object property assignments
Network Indicators:
- Unusual outbound connections from the application
- Requests containing prototype pollution payloads
SIEM Query:
source="application_logs" AND ("prototype" OR "__proto__") AND ("pollution" OR "modification" OR "unexpected")