Login Sign Up

CVE-2021-25915

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This is a prototype pollution vulnerability in the 'changeset' npm package that allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. It affects applications using vulnerable versions of the changeset library for data transformation operations. The high CVSS score indicates critical severity with broad impact potential.

💻 Affected Systems

Products:
  • changeset npm package
Versions: 0.0.1 through 0.2.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using vulnerable changeset versions for data transformation operations.

📦 What is this software?

Changeset by Changeset Project

View all CVEs affecting Changeset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often have public proof-of-concept exploits available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.6 and later

Vendor Advisory: https://github.com/eugeneware/changeset/commit/9e588844edbb9993b32e7366cc799262b4447f99

Restart Required: Yes

Instructions:

1. Update package.json to specify changeset version 0.2.6 or higher. 2. Run 'npm update changeset' or 'yarn upgrade changeset'. 3. Restart all affected applications and services.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all data processed by changeset functions.

Object.freeze() on Prototypes

all

Freeze Object.prototype and other critical prototypes to prevent pollution.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Implement network segmentation to isolate affected systems
  • Deploy web application firewall with prototype pollution detection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list changeset' to see if version is between 0.0.1 and 0.2.5 inclusive.

Check Version:

npm list changeset | grep changeset

Verify Fix Applied:

Verify changeset version is 0.2.6 or higher using 'npm list changeset' and test data transformation functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual object property modifications in logs
  • Prototype modification warnings

Network Indicators:

  • Unusual data patterns in API requests to changeset endpoints
  • Malformed JSON payloads with prototype pollution patterns

SIEM Query:

source="application.logs" AND ("prototype pollution" OR "changeset error" OR "unexpected property")

📊 Metadata

CVE ID: CVE-2021-25915
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: March 9, 2021
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25915, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)