CVE-2021-25953 – CVE-2021-25953 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2021-25953?

CVE-2021-25953 has a CVSS score of 9.8 (CRITICAL). CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. This affects any application using vulnerable versions of this utility library for object merging operations. The vulnerability is particularly dangerous because it can be exploited through user-controlled input.

📋 TL;DR

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows attackers to modify object prototypes, potentially leading to denial of service or remote code execution. This affects any application using vulnerable versions of this utility library for object merging operations. The vulnerability is particularly dangerous because it can be exploited through user-controlled input.

💻 Affected Systems

Products:

putil-merge npm package

Versions: 1.0.0 through 3.6.6

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using putil-merge for object merging operations with untrusted input is vulnerable. The vulnerability exists in the core merge functionality.

📦 What is this software?

Putil Merge by Putil Merge Project

View all CVEs affecting Putil Merge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service through application crashes or instability, with potential for limited code execution in specific configurations.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application errors.

🌐 Internet-Facing: HIGH - Web applications using this library with user input are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if they process untrusted data from internal sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to process attacker-controlled objects through the merge function. Public proof-of-concept code demonstrates the prototype pollution technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.7 and later

Vendor Advisory: https://www.npmjs.com/advisories/1665

Restart Required: Yes

Instructions:

1. Update package.json to specify 'putil-merge': '^3.6.7' or higher. 2. Run 'npm update putil-merge' or 'npm install putil-merge@latest'. 3. Restart all Node.js applications using this package.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent prototype pollution by filtering or rejecting objects with __proto__ or constructor properties.

Use Object.freeze on Object.prototype

all

Prevent prototype pollution by freezing Object.prototype before processing untrusted data.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement strict input validation to reject objects containing __proto__ or constructor properties.
Use alternative object merging libraries that are not vulnerable, such as lodash.merge with proper configuration.

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for putil-merge version. Run 'npm list putil-merge' to see installed version.

Check Version:

npm list putil-merge | grep putil-merge

Verify Fix Applied:

Verify version is 3.6.7 or higher with 'npm list putil-merge'. Test with known safe objects to ensure merge functionality works without prototype pollution.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual object property modifications
Errors related to prototype chain

Network Indicators:

HTTP requests containing __proto__ or constructor in JSON payloads
Unusual object structures in API calls

SIEM Query:

source=application_logs AND ("__proto__" OR "constructor") AND "putil-merge"

📊 Metadata

CVE ID: CVE-2021-25953

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: July 14, 2021

Last Updated: November 21, 2024

🔗 References

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25953 Exploit,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25953 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25953, you might also want to check these: