CVE-2021-3666 – CVE-2021-3666 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-3666?

CVE-2021-3666 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3666 is a prototype pollution vulnerability in the body-parser-xml npm package that allows attackers to inject arbitrary properties into JavaScript objects. This affects any application using vulnerable versions of body-parser-xml to parse XML request bodies. Successful exploitation can lead to denial of service, remote code execution, or other security impacts depending on the application context.

📋 TL;DR

CVE-2021-3666 is a prototype pollution vulnerability in the body-parser-xml npm package that allows attackers to inject arbitrary properties into JavaScript objects. This affects any application using vulnerable versions of body-parser-xml to parse XML request bodies. Successful exploitation can lead to denial of service, remote code execution, or other security impacts depending on the application context.

💻 Affected Systems

Products:

body-parser-xml npm package

Versions: All versions before 2.0.3

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use body-parser-xml to parse XML request bodies. The vulnerability is in the XML parsing functionality.

📦 What is this software?

Xml Body Parser by Xml Body Parser Project

View all CVEs affecting Xml Body Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior, potentially enabling further attacks.

🟢

If Mitigated

Limited impact if input validation and sanitization are implemented, though prototype pollution remains dangerous.

🌐 Internet-Facing: HIGH - Any internet-facing application using vulnerable versions is directly exploitable via XML payloads.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted XML payloads. Public proof-of-concept code exists in the referenced GitHub commit and security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3

Vendor Advisory: https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63

Restart Required: Yes

Instructions:

1. Update package.json to specify body-parser-xml version 2.0.3 or higher. 2. Run 'npm update body-parser-xml' or 'yarn upgrade body-parser-xml'. 3. Restart the Node.js application to apply the update.

🔧 Temporary Workarounds

Disable XML parsing

all

Remove or disable body-parser-xml middleware if XML parsing is not required.

Remove 'app.use(bodyParser.xml())' or similar lines from your application code

Input validation and sanitization

all

Implement strict input validation and sanitization for XML payloads before processing.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block malicious XML payloads containing prototype pollution patterns.
Isolate affected applications in network segments with strict access controls and monitor for suspicious XML traffic.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list body-parser-xml' to see if version is below 2.0.3.

Check Version:

npm list body-parser-xml | grep body-parser-xml

Verify Fix Applied:

After updating, verify with 'npm list body-parser-xml' that version 2.0.3 or higher is installed.

📡 Detection & Monitoring

Log Indicators:

Unusual XML payloads in request logs
Application errors or crashes during XML parsing
Suspicious property injection patterns in debug logs

Network Indicators:

XML payloads containing '__proto__', 'constructor', or 'prototype' properties
Unusually large or malformed XML requests

SIEM Query:

source="application_logs" AND ("body-parser-xml" OR "XML parsing error") AND ("__proto__" OR "constructor" OR "prototype")

📊 Metadata

CVE ID: CVE-2021-3666

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: September 13, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63 Patch,Third Party Advisory
https://huntr.dev/bounties/1-other-fiznool/body-parser-xml Exploit,Third Party Advisory
https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63 Patch,Third Party Advisory
https://huntr.dev/bounties/1-other-fiznool/body-parser-xml Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3666, you might also want to check these: