Login Sign Up

CVE-2021-25944

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-25944 is a prototype pollution vulnerability in the 'deep-defaults' npm package versions 1.0.0 through 1.0.5. This allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. Any application using these vulnerable versions is affected.

💻 Affected Systems

Products:
  • deep-defaults npm package
Versions: 1.0.0 through 1.0.5
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using vulnerable deep-defaults versions is affected regardless of configuration.

📦 What is this software?

Deep Defaults by Deep Defaults Project

View all CVEs affecting Deep Defaults →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact if input validation and sandboxing prevent prototype pollution exploitation.

🌐 Internet-Facing: HIGH - Web applications using this package could be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood with public proof-of-concept code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.6 and later

Vendor Advisory: https://www.npmjs.com/advisories/1741

Restart Required: Yes

Instructions:

1. Update package.json to specify 'deep-defaults': '^1.0.6' 2. Run 'npm update deep-defaults' 3. Restart all Node.js applications using this package 4. Test application functionality

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent malicious object manipulation

Package replacement

all

Replace deep-defaults with alternative libraries like lodash.defaultsdeep

npm uninstall deep-defaults
npm install lodash.defaultsdeep

🧯 If You Can't Patch

  • Implement WAF rules to detect and block prototype pollution patterns
  • Isolate affected applications in network segments with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for deep-defaults version 1.0.0-1.0.5, or run 'npm list deep-defaults'

Check Version:

npm list deep-defaults | grep deep-defaults

Verify Fix Applied:

Confirm deep-defaults version is 1.0.6+ with 'npm list deep-defaults' and test application with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual object property modifications
  • Memory exhaustion errors

Network Indicators:

  • HTTP requests with specially crafted JSON objects
  • Unusual outbound connections from Node.js processes

SIEM Query:

process.name:node.exe AND (event_data.CommandLine:*deep-defaults* OR event_data.ImagePath:*node*)

📊 Metadata

CVE ID: CVE-2021-25944
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: May 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25944, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)