CVE-2021-3766 – CVE-2021-3766 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-3766?

CVE-2021-3766 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3766 is a prototype pollution vulnerability in objection.js that allows attackers to modify object prototypes, potentially leading to remote code execution or denial of service. This affects applications using vulnerable versions of objection.js, particularly those that process untrusted user input through the library's functions.

📋 TL;DR

CVE-2021-3766 is a prototype pollution vulnerability in objection.js that allows attackers to modify object prototypes, potentially leading to remote code execution or denial of service. This affects applications using vulnerable versions of objection.js, particularly those that process untrusted user input through the library's functions.

💻 Affected Systems

Products:

objection.js

Versions: Versions before 2.2.18

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using objection.js with untrusted input are vulnerable regardless of configuration.

📦 What is this software?

Objection by Objection Project

View all CVEs affecting Objection →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service, privilege escalation, or data manipulation through prototype pollution.

🟢

If Mitigated

Limited impact with proper input validation and sanitization in place.

🌐 Internet-Facing: HIGH - Web applications processing user input are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if processing untrusted data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted input to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.18 and later

Vendor Advisory: https://github.com/Vincit/objection.js/commit/46b842a6bc897198b83f41ac85c92864b991d7e9

Restart Required: Yes

Instructions:

1. Update objection.js to version 2.2.18 or later using npm update objection. 2. Restart the application to apply changes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all user-provided data before processing with objection.js.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs.
Use web application firewalls (WAF) to filter malicious payloads targeting prototype pollution.

🔍 How to Verify

Check if Vulnerable:

Check package.json for objection.js version. If version is below 2.2.18, the system is vulnerable.

Check Version:

npm list objection

Verify Fix Applied:

Verify objection.js version is 2.2.18 or higher in package.json after update.

📡 Detection & Monitoring

Log Indicators:

Unusual object property modifications, unexpected prototype changes, or error logs related to object manipulation.

Network Indicators:

HTTP requests with specially crafted JSON payloads targeting objection.js endpoints.

SIEM Query:

Search for HTTP requests containing '__proto__' or 'constructor' in payloads to objection.js endpoints.

📊 Metadata

CVE ID: CVE-2021-3766

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: September 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Vincit/objection.js/commit/46b842a6bc897198b83f41ac85c92864b991d7e9 Patch,Third Party Advisory
https://huntr.dev/bounties/c98e0f0e-ebf2-4072-be73-a1848ea031cc Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/Vincit/objection.js/commit/46b842a6bc897198b83f41ac85c92864b991d7e9 Patch,Third Party Advisory
https://huntr.dev/bounties/c98e0f0e-ebf2-4072-be73-a1848ea031cc Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3766, you might also want to check these: