Login Sign Up

CVE-2021-25916

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-25916 is a prototype pollution vulnerability in the patchmerge npm package versions 1.0.0 through 1.0.1. This allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. Anyone using vulnerable versions of patchmerge in their Node.js applications is affected.

💻 Affected Systems

Products:
  • patchmerge
Versions: 1.0.0 through 1.0.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using patchmerge in the vulnerable version range is affected regardless of configuration.

📦 What is this software?

Patchmerge by Patchmerge Project

View all CVEs affecting Patchmerge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often have public proof-of-concept exploits available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 and later

Vendor Advisory: https://github.com/pjshumphreys/patchmerge/commit/5b383c537eae7a00ebd26d3f7211dac99ddecb12

Restart Required: Yes

Instructions:

1. Update package.json to specify patchmerge version 1.0.2 or later. 2. Run 'npm update patchmerge' or 'npm install patchmerge@latest'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject malformed objects that could trigger prototype pollution.

Object.freeze() on Prototypes

all

Freeze Object.prototype and other critical prototypes to prevent pollution.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Remove patchmerge dependency entirely if not essential
  • Implement network segmentation and restrict application access

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for patchmerge version 1.0.0 or 1.0.1

Check Version:

npm list patchmerge

Verify Fix Applied:

Verify patchmerge version is 1.0.2 or later in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual prototype modification errors
  • Memory exhaustion warnings

Network Indicators:

  • Unusual outbound connections from Node.js process
  • Unexpected process spawning

SIEM Query:

process.name:node AND (event.action:crash OR error.message:"prototype" OR error.message:"pollution")

📊 Metadata

CVE ID: CVE-2021-25916
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: March 16, 2021
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25916, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)