Login Sign Up

CVE-2021-23507

7.5 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-23507 is a prototype pollution vulnerability in the object-path-set npm package that allows attackers to modify JavaScript object prototypes. This can lead to denial of service, remote code execution, or privilege escalation in applications using this package. Any application using object-path-set version <1.0.2 is affected.

💻 Affected Systems

Products:
  • object-path-set npm package
Versions: All versions before 1.0.2
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the setPath method with untrusted input is vulnerable

📦 What is this software?

Object Path Set by Skratchdot

View all CVEs affecting Object Path Set →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service, application crashes, or privilege escalation within the application context

🟢

If Mitigated

Limited impact if input validation and sanitization are properly implemented

🌐 Internet-Facing: HIGH - Web applications using this package are directly exposed to attack
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface reduced

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker to control input to setPath method

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 and later

Vendor Advisory: https://github.com/skratchdot/object-path-set/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to require object-path-set >=1.0.2
2. Run 'npm update object-path-set'
3. Restart all Node.js applications using this package

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap setPath calls with input validation to reject paths containing '__proto__' or 'constructor'

// JavaScript code to wrap setPath calls
function safeSetPath(obj, path, value) {
  if (typeof path === 'string' && (path.includes('__proto__') || path.includes('constructor'))) {
    throw new Error('Invalid path');
  }
  return setPath(obj, path, value);
}

🧯 If You Can't Patch

  • Implement strict input validation for all setPath method inputs
  • Use alternative packages like lodash.set or implement custom safe object manipulation

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list object-path-set' to see installed version

Check Version:

npm list object-path-set | grep object-path-set

Verify Fix Applied:

Verify installed version is >=1.0.2 using 'npm list object-path-set'

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes
  • Unexpected prototype modifications in logs
  • Error messages related to object corruption

Network Indicators:

  • HTTP requests with '__proto__' or 'constructor' in parameters

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor") AND "setPath"

📊 Metadata

CVE ID: CVE-2021-23507
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23507, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)