CVE-2021-25945 – CVE-2021-25945 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2021-25945?

CVE-2021-25945 has a CVSS score of 9.8 (CRITICAL). CVE-2021-25945 is a prototype pollution vulnerability in the 'js-extend' npm package that allows attackers to modify JavaScript object prototypes, potentially leading to denial of service or remote code execution. This affects applications using vulnerable versions of js-extend (0.0.1 through 1.0.1) for object extension operations. The vulnerability is particularly dangerous in Node.js applications where user input can reach the vulnerable function.

📋 TL;DR

CVE-2021-25945 is a prototype pollution vulnerability in the 'js-extend' npm package that allows attackers to modify JavaScript object prototypes, potentially leading to denial of service or remote code execution. This affects applications using vulnerable versions of js-extend (0.0.1 through 1.0.1) for object extension operations. The vulnerability is particularly dangerous in Node.js applications where user input can reach the vulnerable function.

💻 Affected Systems

Products:

js-extend npm package

Versions: 0.0.1 through 1.0.1

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using js-extend for object extension with untrusted input is vulnerable. The vulnerability exists in the core extend() function.

📦 What is this software?

Js Extend by Js Extend Project

View all CVEs affecting Js Extend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the environment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited remote code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to reach the vulnerable extend() function. Public proof-of-concept code demonstrates prototype pollution leading to denial of service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 and later

Vendor Advisory: https://www.npmjs.com/advisories/1638

Restart Required: Yes

Instructions:

1. Update js-extend to version 1.0.2 or later using 'npm update js-extend'. 2. Restart all affected Node.js applications. 3. Verify the update with 'npm list js-extend'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to prevent malicious objects from reaching the extend() function.

Use Alternative Libraries

all

Replace js-extend with safer alternatives like lodash.merge or Object.assign with proper validation.

npm uninstall js-extend
npm install lodash

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to js-extend functions
Isolate affected applications in network segments with limited access and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list js-extend' to see if version is between 0.0.1 and 1.0.1 inclusive.

Check Version:

npm list js-extend | grep js-extend

Verify Fix Applied:

Verify js-extend version is 1.0.2 or higher using 'npm list js-extend' and test object extension with known safe inputs.

📡 Detection & Monitoring

Log Indicators:

Application crashes or unexpected behavior when processing object extensions
Unusual prototype modifications in JavaScript error logs

Network Indicators:

Unusual outbound connections from Node.js processes
Requests containing specially crafted JSON objects

SIEM Query:

source="application.log" AND ("js-extend" OR "extend()") AND ("crash" OR "error" OR "unexpected")

📊 Metadata

CVE ID: CVE-2021-25945

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: May 26, 2021

Last Updated: November 21, 2024

🔗 References

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25945 Exploit,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25945 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25945, you might also want to check these: