Login Sign Up

CVE-2021-25946

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-25946 is a prototype pollution vulnerability in nconf-toml, a Node.js configuration file parser. It allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. This affects applications using vulnerable versions of the nconf-toml library.

💻 Affected Systems

Products:
  • nconf-toml
Versions: 0.0.1 through 0.0.2
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using nconf-toml to parse TOML configuration files is vulnerable. The vulnerability is in the core parsing logic.

📦 What is this software?

Nconf Toml by Nconf Toml Project

View all CVEs affecting Nconf Toml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though prototype pollution remains dangerous.

🌐 Internet-Facing: HIGH - Applications processing untrusted TOML files from external sources are directly vulnerable.
🏢 Internal Only: MEDIUM - Internal applications processing controlled TOML files have reduced risk but could still be exploited through supply chain attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to parse a malicious TOML file. Public proof-of-concept code demonstrates prototype pollution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.3 and later

Vendor Advisory: https://github.com/RobLoach/nconf-toml/security/advisories/GHSA-5jq7-2j3q-8j3q

Restart Required: Yes

Instructions:

1. Update nconf-toml to version 0.0.3 or later using npm: npm update nconf-toml. 2. Restart the Node.js application to load the updated library.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of TOML file inputs to reject malicious content before parsing.

Use alternative configuration parser

all

Temporarily replace nconf-toml with a secure alternative like @iarna/toml until patched.

npm uninstall nconf-toml
npm install @iarna/toml

🧯 If You Can't Patch

  • Isolate the application in a restricted network segment to limit potential lateral movement.
  • Implement strict file upload controls and scan all TOML files with security tools before processing.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list nconf-toml | grep nconf-toml

Check Version:

npm list nconf-toml

Verify Fix Applied:

Verify installed version is 0.0.3 or later: npm list nconf-toml

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes, abnormal memory usage, or errors in TOML parsing logs

Network Indicators:

  • Unusual outbound connections from the Node.js process, especially to unknown IPs

SIEM Query:

source="application.log" AND "nconf-toml" AND ("error" OR "crash" OR "unexpected")

📊 Metadata

CVE ID: CVE-2021-25946
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: May 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25946, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)