Login Sign Up

CVE-2021-25947

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This is a prototype pollution vulnerability in the 'nestie' JavaScript library that allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. Any application using vulnerable versions of nestie is affected, particularly Node.js applications that process untrusted user input.

💻 Affected Systems

Products:
  • nestie
Versions: 0.0.0 through 1.0.0
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using nestie to process untrusted JSON or JavaScript objects. The vulnerability exists in the library's object nesting functionality.

📦 What is this software?

Nestie by Nestie Project

View all CVEs affecting Nestie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited remote code execution in specific configurations.

🟢

If Mitigated

Limited impact if input validation and sanitization prevent prototype pollution payloads from reaching vulnerable code paths.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood with public proof-of-concepts available. Exploitation requires the application to process attacker-controlled objects through nestie functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://www.npmjs.com/advisories/1648

Restart Required: Yes

Instructions:

1. Update nestie to version 1.0.1 or later using 'npm update nestie'. 2. Restart your Node.js application. 3. Test that the update doesn't break functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject objects with prototype pollution payloads before they reach nestie functions.

Object.freeze() on prototypes

all

Freeze Object.prototype and other relevant prototypes to prevent pollution attacks.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

  • Isolate the vulnerable application in a restricted network segment with minimal permissions
  • Implement web application firewall (WAF) rules to block prototype pollution patterns in incoming requests

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list nestie' to see if version is between 0.0.0 and 1.0.0 inclusive.

Check Version:

npm list nestie | grep nestie

Verify Fix Applied:

Verify nestie version is 1.0.1 or higher using 'npm list nestie' and test with known prototype pollution payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes, memory errors, or unexpected property modifications in object logs

Network Indicators:

  • HTTP requests containing __proto__ or constructor properties in JSON payloads

SIEM Query:

source="application_logs" AND ("__proto__" OR "constructor" OR "prototype") AND dest_port="*"

📊 Metadata

CVE ID: CVE-2021-25947
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: June 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25947, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)