Login Sign Up

CVE-2021-25952

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This is a prototype pollution vulnerability in the 'just-safe-set' npm package that allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. It affects applications using vulnerable versions of this package, particularly Node.js applications that process untrusted user input.

💻 Affected Systems

Products:
  • just-safe-set npm package
Versions: 1.0.0 through 2.2.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable versions of just-safe-set that processes untrusted input is affected.

📦 What is this software?

Just Safe Set by Just Safe Set Project

View all CVEs affecting Just Safe Set →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or instability, potentially leading to data corruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though prototype pollution can bypass some controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often weaponized. The CVSS 9.8 score indicates critical severity with low attack complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2 and later

Vendor Advisory: https://github.com/angus-c/just/commit/dd57a476f4bb9d78c6f60741898dc04c71d2eb53

Restart Required: Yes

Instructions:

1. Update package.json to require 'just-safe-set' version '^2.2.2' or later. 2. Run 'npm update just-safe-set' or 'yarn upgrade just-safe-set'. 3. Restart your application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to prevent malicious object property names from reaching vulnerable functions.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled data
  • Use application sandboxing or containerization to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for 'just-safe-set' version between 1.0.0 and 2.2.1 inclusive.

Check Version:

npm list just-safe-set

Verify Fix Applied:

Verify 'just-safe-set' version is 2.2.2 or higher in package.json and node_modules.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual memory usage patterns
  • Suspicious property assignments in logs

Network Indicators:

  • Unusual outbound connections from Node.js processes
  • Anomalous payloads containing '__proto__' or similar patterns

SIEM Query:

source="application_logs" AND ("just-safe-set" OR "prototype pollution" OR "__proto__")

📊 Metadata

CVE ID: CVE-2021-25952
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: July 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25952, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)