CVE-2021-26707 – CVE-2021-26707 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2021-26707?

CVE-2021-26707 has a CVSS score of 9.8 (CRITICAL). CVE-2021-26707 is a prototype pollution vulnerability in the merge-deep Node.js library that allows attackers to modify Object.prototype properties. This can lead to denial of service, remote code execution, or privilege escalation in applications using this library. Any Node.js application using merge-deep versions before 3.0.3 is affected.

📋 TL;DR

CVE-2021-26707 is a prototype pollution vulnerability in the merge-deep Node.js library that allows attackers to modify Object.prototype properties. This can lead to denial of service, remote code execution, or privilege escalation in applications using this library. Any Node.js application using merge-deep versions before 3.0.3 is affected.

💻 Affected Systems

Products:

merge-deep Node.js library

Versions: All versions before 3.0.3

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using merge-deep with untrusted input is vulnerable. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

E Series Performance Analyzer by Netapp

View all CVEs affecting E Series Performance Analyzer →

Merge Deep by Merge Deep Project

View all CVEs affecting Merge Deep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or privilege escalation within the application context.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability.

🌐 Internet-Facing: HIGH - Web applications using merge-deep are directly exposed to attack vectors.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is publicly available. Exploitation requires the application to process attacker-controlled input through merge-deep functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3 and later

Vendor Advisory: https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5

Restart Required: Yes

Instructions:

1. Update package.json to specify merge-deep version 3.0.3 or higher. 2. Run 'npm update merge-deep' or 'yarn upgrade merge-deep'. 3. Restart all Node.js applications using the library.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent prototype pollution payloads from reaching merge-deep functions.

Object.freeze on Object.prototype

all

Prevent modifications to Object.prototype by freezing it before processing untrusted data.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to merge-deep functions
Isolate applications using merge-deep in containers or sandboxes to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for merge-deep version. If version is below 3.0.3, the application is vulnerable.

Check Version:

npm list merge-deep | grep merge-deep

Verify Fix Applied:

After updating, verify the installed version with 'npm list merge-deep' or check package.json for version >=3.0.3.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual property modifications in objects
Error messages related to prototype pollution

Network Indicators:

Unusual HTTP requests with nested object payloads
Requests containing __proto__ or constructor properties

SIEM Query:

search 'merge-deep' OR 'prototype pollution' in application logs

📊 Metadata

CVE ID: CVE-2021-26707

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210716-0008/ Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/ Third Party Advisory
https://www.npmjs.com/package/merge-deep Product,Third Party Advisory
https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210716-0008/ Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/ Third Party Advisory
https://www.npmjs.com/package/merge-deep Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26707, you might also want to check these: