CVE-2021-26505 – A prototype pollution vulnerability in hello.js... (How to Fix)

Q: What is the severity of CVE-2021-26505?

CVE-2021-26505 has a CVSS score of 9.8 (CRITICAL). A prototype pollution vulnerability in hello.js version 1.18.6 allows attackers to modify JavaScript object prototypes, potentially leading to arbitrary code execution. This affects any application using the vulnerable hello.js library for OAuth authentication. Attackers can exploit this remotely without authentication.

📋 TL;DR

A prototype pollution vulnerability in hello.js version 1.18.6 allows attackers to modify JavaScript object prototypes, potentially leading to arbitrary code execution. This affects any application using the vulnerable hello.js library for OAuth authentication. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

hello.js

Versions: 1.18.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using hello.js for OAuth authentication is vulnerable. The vulnerability is in the hello.utils.extend function.

📦 What is this software?

Hello.js by Hello.js Project

View all CVEs affecting Hello.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Application compromise allowing data manipulation, privilege escalation, and potential access to sensitive user information.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted payloads to applications using the vulnerable library. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.7 and later

Vendor Advisory: https://github.com/MrSwitch/hello.js/issues/634

Restart Required: Yes

Instructions:

1. Update hello.js to version 1.18.7 or later using npm update hello.js. 2. Restart any applications using hello.js. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for all data passed to hello.utils.extend function

Library replacement

all

Temporarily replace hello.js with alternative OAuth library until patched

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) to limit script execution
Use web application firewall (WAF) rules to block prototype pollution payloads

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/hello.js/package.json for version 1.18.6

Check Version:

npm list hello.js | grep hello.js

Verify Fix Applied:

Verify hello.js version is 1.18.7 or higher using npm list hello.js

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth callback patterns
Multiple failed authentication attempts with malformed parameters
Application errors related to object prototype modifications

Network Indicators:

HTTP requests with unusual parameter structures targeting OAuth endpoints
Payloads containing __proto__ or constructor properties

SIEM Query:

source="web_logs" AND (uri_path="/oauth*" OR uri_path="/auth*") AND (http_params CONTAINS "__proto__" OR http_params CONTAINS "constructor")

📊 Metadata

CVE ID: CVE-2021-26505

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: August 11, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/MrSwitch/hello.js/issues/634 Issue Tracking
https://github.com/MrSwitch/hello.js/issues/634 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26505, you might also want to check these: