Login Sign Up

CVE-2021-23460

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to perform prototype pollution attacks via the 'set' method in min-dash, enabling them to modify object prototypes and potentially execute arbitrary code. It affects applications using vulnerable versions of the min-dash library, particularly those that process untrusted user input through the affected function.

💻 Affected Systems

Products:
  • min-dash library
Versions: All versions before 3.8.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Applications using min-dash's 'set' method with user-controlled input are vulnerable. The vulnerability is in the library itself, not dependent on specific OS configurations.

📦 What is this software?

Min Dash by Camunda

View all CVEs affecting Min Dash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption through prototype pollution that modifies application behavior.

🟠

Likely Case

Application instability, denial of service, or limited data manipulation through prototype pollution affecting specific functionality.

🟢

If Mitigated

Minimal impact if input validation and sanitization prevent malicious payloads from reaching the vulnerable function.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to use the vulnerable 'set' method with attacker-controlled input. Public proof-of-concept exists in GitHub pull requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.1

Vendor Advisory: https://github.com/bpmn-io/min-dash/pull/21

Restart Required: No

Instructions:

1. Update min-dash dependency to version 3.8.1 or later. 2. For npm: run 'npm update min-dash'. 3. For yarn: run 'yarn upgrade min-dash'. 4. Verify the update in package.json shows min-dash >=3.8.1.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap calls to min-dash's 'set' method with input validation to reject non-string keys

Implement custom validation function that checks key types before calling set()

🧯 If You Can't Patch

  • Implement strict input validation for all data passed to min-dash's 'set' method
  • Use object.freeze() on critical prototypes to prevent pollution

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for min-dash version <3.8.1

Check Version:

npm list min-dash | grep min-dash

Verify Fix Applied:

Confirm min-dash version is >=3.8.1 in package.json and verify the set method now validates key types

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes or errors related to object manipulation
  • Unexpected prototype modifications in debug logs

Network Indicators:

  • Unusual HTTP requests containing prototype pollution payloads

SIEM Query:

Search for patterns like '__proto__', 'constructor', or 'prototype' in user input fields

📊 Metadata

CVE ID: CVE-2021-23460
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: January 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23460, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)