CVE-2021-25948
📋 TL;DR
CVE-2021-25948 is a prototype pollution vulnerability in the 'expand-hash' npm package that allows attackers to modify JavaScript object prototypes. This can lead to denial of service or potentially remote code execution by polluting base objects. Anyone using affected versions of expand-hash in their Node.js applications is vulnerable.
💻 Affected Systems
- expand-hash npm package
📦 What is this software?
Expand Hash by Expand Hash Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.
If Mitigated
Application instability or crashes without code execution if input validation blocks malicious payloads.
🎯 Exploit Status
Prototype pollution vulnerabilities are well-understood and often have public proof-of-concept exploits available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.2 and later
Vendor Advisory: https://github.com/doowb/expand-hash/security/advisories
Restart Required: Yes
Instructions:
1. Update package.json to specify 'expand-hash': '^1.0.2' or higher. 2. Run 'npm update expand-hash' or 'yarn upgrade expand-hash'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject any objects containing __proto__ or constructor properties.
Object.freeze on Prototypes
allFreeze Object.prototype and other base prototypes to prevent pollution.
Object.freeze(Object.prototype);
Object.freeze(Object);
🧯 If You Can't Patch
- Implement strict input validation to reject objects with __proto__ or constructor properties
- Use alternative libraries that don't have prototype pollution vulnerabilities
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list expand-hash' to see installed version. If version is between 0.1.0 and 1.0.1 inclusive, you are vulnerable.Check Version:
npm list expand-hash | grep expand-hashVerify Fix Applied:
After updating, run 'npm list expand-hash' and verify version is 1.0.2 or higher. Test with known malicious inputs to confirm protection.📡 Detection & Monitoring
Log Indicators:
- Application crashes with prototype-related errors
- Unusual object property modifications in logs
- Unexpected __proto__ or constructor references in input
Network Indicators:
- HTTP requests containing __proto__ or constructor in JSON payloads
- Unusual patterns of requests to endpoints using expand-hash
SIEM Query:
source="application.logs" AND ("__proto__" OR "constructor" OR "prototype pollution")🔗 References
- https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948
- https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948
