Login Sign Up

CVE-2021-25914

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-25914 is a prototype pollution vulnerability in the 'object-collider' npm package that allows attackers to modify JavaScript object prototypes. This can lead to denial of service and potentially remote code execution by polluting base object properties. Anyone using object-collider versions 1.0.0 through 1.0.3 in their Node.js applications is affected.

💻 Affected Systems

Products:
  • object-collider
Versions: 1.0.0 through 1.0.3
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using vulnerable versions of object-collider is affected regardless of configuration.

📦 What is this software?

Object Collider by Fireblink

View all CVEs affecting Object Collider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Application errors or crashes without code execution if input validation or sandboxing is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood attack vectors with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4 and later

Vendor Advisory: https://github.com/FireBlinkLTD/object-collider/commit/321f75a7f8e7b3393e5b7dd6dd9ab26ede5906e5

Restart Required: Yes

Instructions:

1. Update package.json to specify object-collider version 1.0.4 or later. 2. Run 'npm update object-collider' or 'yarn upgrade object-collider'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject malformed objects that could trigger prototype pollution.

Use Object.freeze() on prototypes

all

Freeze Object.prototype to prevent prototype pollution attacks.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Implement WAF rules to detect and block prototype pollution patterns in HTTP requests.
  • Isolate the vulnerable application in a container or VM with minimal privileges and network access.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list object-collider' to see installed version.

Check Version:

npm list object-collider | grep object-collider

Verify Fix Applied:

Verify object-collider version is 1.0.4 or later using 'npm list object-collider'.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual error messages related to object properties
  • Stack traces showing prototype pollution

Network Indicators:

  • HTTP requests with specially crafted JSON payloads
  • Unusual patterns in API calls to object-collider functions

SIEM Query:

source="application.logs" AND ("prototype pollution" OR "object-collider" OR "CVE-2021-25914")

📊 Metadata

CVE ID: CVE-2021-25914
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: March 1, 2021
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25914, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)