CVE-2021-3805 – CVE-2021-3805 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-3805?

CVE-2021-3805 has a CVSS score of 7.5 (HIGH). CVE-2021-3805 is a prototype pollution vulnerability in the object-path npm package that allows attackers to modify JavaScript object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of object-path, particularly Node.js applications and web services. The vulnerability is exploitable when user-controlled input reaches object-path's set or del methods.

📋 TL;DR

CVE-2021-3805 is a prototype pollution vulnerability in the object-path npm package that allows attackers to modify JavaScript object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of object-path, particularly Node.js applications and web services. The vulnerability is exploitable when user-controlled input reaches object-path's set or del methods.

💻 Affected Systems

Products:

object-path npm package

Versions: Versions before 0.11.8

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using object-path's set or del methods with untrusted input is vulnerable. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Object Path by Object Path Project

View all CVEs affecting Object Path →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior, potentially enabling privilege escalation in multi-user environments.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though prototype pollution can bypass some security controls.

🌐 Internet-Facing: HIGH - Web applications using object-path with user input are directly exposed.

🏢 Internal Only: MEDIUM - Internal services may be vulnerable to authenticated attacks or supply chain compromises.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploits are publicly available. Exploitation requires user input to reach vulnerable functions, which is common in many applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.8 and later

Vendor Advisory: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6

Restart Required: Yes

Instructions:

1. Update object-path to version 0.11.8 or later using npm update object-path. 2. Restart all affected Node.js applications. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to prevent prototype pollution payloads from reaching object-path functions.

Object.freeze on prototypes

all

Freeze Object.prototype and other critical prototypes to prevent modification.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs that interact with object-path.
Use security monitoring to detect prototype pollution attempts and isolate affected systems.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list object-path to see if version is below 0.11.8.

Check Version:

npm list object-path | grep object-path

Verify Fix Applied:

Confirm object-path version is 0.11.8 or higher using npm list object-path.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual prototype modification attempts in logs
Error messages related to object-path

Network Indicators:

Requests containing __proto__ or constructor payloads
Unusual patterns in API calls to affected endpoints

SIEM Query:

search for 'object-path' AND ('error' OR 'crash' OR '__proto__') in application logs

📊 Metadata

CVE ID: CVE-2021-3805

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

Published: September 17, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 Patch,Third Party Advisory
https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html Mailing List,Third Party Advisory
https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 Patch,Third Party Advisory
https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3805, you might also want to check these: