CVE-2021-23470 – CVE-2021-23470 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2021-23470?

CVE-2021-23470 has a CVSS score of 8.2 (HIGH). CVE-2021-23470 is a prototype pollution vulnerability in the putil-merge npm package, allowing attackers to inject malicious properties into objects by manipulating the constructor property in merge() function arguments. This affects applications using putil-merge before version 3.8.0, potentially leading to denial of service, remote code execution, or data manipulation. Users of this package in Node.js environments are at risk.

📋 TL;DR

CVE-2021-23470 is a prototype pollution vulnerability in the putil-merge npm package, allowing attackers to inject malicious properties into objects by manipulating the constructor property in merge() function arguments. This affects applications using putil-merge before version 3.8.0, potentially leading to denial of service, remote code execution, or data manipulation. Users of this package in Node.js environments are at risk.

💻 Affected Systems

Products:

putil-merge

Versions: Versions before 3.8.0

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: This vulnerability affects any Node.js application that uses the putil-merge package with its default configuration and processes untrusted input via the merge() function.

📦 What is this software?

Putil Merge by Putil Merge Project

View all CVEs affecting Putil Merge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution (RCE) or complete system compromise if the polluted objects are used in security-sensitive contexts like eval() or file operations.

🟠

Likely Case

Denial of service (DoS) or application crashes due to unexpected object modifications, with potential for data corruption or privilege escalation in specific use cases.

🟢

If Mitigated

Limited impact if input validation or sanitization is applied, but risk remains if the vulnerable function is exposed to untrusted data.

🌐 Internet-Facing: HIGH, as web applications using this package may process user-supplied data, making exploitation straightforward if the merge function is accessible.

🏢 Internal Only: MEDIUM, as internal systems might still be vulnerable if they handle untrusted data, but attack surface is reduced compared to internet-facing services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is simple as it involves passing a malicious object with a constructor property; public proof-of-concept examples are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.0

Vendor Advisory: https://github.com/panates/putil-merge/commit/476d00078dfb2827d7c9ee0f2392c81b864f7bc5

Restart Required: No

Instructions:

1. Update the putil-merge package to version 3.8.0 or later. 2. Run 'npm update putil-merge' or 'yarn upgrade putil-merge' in your project directory. 3. Verify the update by checking the package.json file or running 'npm list putil-merge'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject objects with constructor properties or other suspicious attributes before passing them to the merge() function.

// Example JavaScript code to sanitize input:
function sanitizeInput(obj) {
  if (obj && obj.constructor && obj.constructor.name === 'Object') {
    delete obj.constructor;
  }
  return obj;
}

🧯 If You Can't Patch

Restrict access to the merge() function by ensuring it only processes trusted, internal data sources.
Monitor application logs for unusual activity or errors related to object manipulation and implement rate limiting to reduce attack impact.

🔍 How to Verify

Check if Vulnerable:

Check the version of putil-merge in your package.json or by running 'npm list putil-merge' in your project; if version is below 3.8.0, you are vulnerable.

Check Version:

npm list putil-merge

Verify Fix Applied:

After updating, confirm the version is 3.8.0 or higher using 'npm list putil-merge' and test the merge function with safe inputs to ensure no errors occur.

📡 Detection & Monitoring

Log Indicators:

Unexpected errors or crashes in application logs related to object property access, such as 'TypeError' or 'Cannot read property' messages.

Network Indicators:

Unusual HTTP requests containing JSON payloads with constructor properties, especially if targeting endpoints that use the merge function.

SIEM Query:

Example query for SIEM: 'source="application.log" AND ("constructor" OR "merge" OR "putil-merge") AND ("error" OR "crash")'

📊 Metadata

CVE ID: CVE-2021-23470

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-1321

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/panates/putil-merge/commit/476d00078dfb2827d7c9ee0f2392c81b864f7bc5 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PUTILMERGE-2391487 Exploit,Vendor Advisory
https://github.com/panates/putil-merge/commit/476d00078dfb2827d7c9ee0f2392c81b864f7bc5 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PUTILMERGE-2391487 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23470, you might also want to check these: