Login Sign Up

CVE-2021-25941

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-25941 is a prototype pollution vulnerability in the 'deep-override' npm package versions 1.0.0 through 1.0.1. This allows attackers to modify JavaScript object prototypes, potentially leading to denial of service or remote code execution. Any application using vulnerable versions of this package is affected.

💻 Affected Systems

Products:
  • deep-override npm package
Versions: 1.0.0 through 1.0.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using deep-override for object merging operations is vulnerable.

📦 What is this software?

Deep Override by Deep Override Project

View all CVEs affecting Deep Override →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though prototype pollution remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution exploits are well-documented and relatively easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 and later

Vendor Advisory: https://github.com/ASaiAnudeep/deep-override/commit/2aced17651fb684959a6e04b1465a8329b3d5268

Restart Required: Yes

Instructions:

1. Update package.json to specify 'deep-override': '^1.0.2'. 2. Run 'npm update deep-override'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for objects passed to deep-override functions.

Object.freeze() on prototypes

all

Freeze Object.prototype and other base prototypes to prevent pollution.

Object.freeze(Object.prototype);
Object.freeze(Object);

🧯 If You Can't Patch

  • Remove deep-override dependency entirely and replace with alternative object merging libraries.
  • Implement network segmentation and strict firewall rules to limit attack surface.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list deep-override' to see installed version.

Check Version:

npm list deep-override

Verify Fix Applied:

Verify version is 1.0.2 or higher with 'npm list deep-override' and test object merging with malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual object property modifications in logs
  • Error messages related to prototype modifications

Network Indicators:

  • Unusual HTTP requests with nested object payloads
  • Requests containing __proto__ or constructor properties

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2021-25941
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: May 14, 2021
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25941, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)