CVE-2021-3918
📋 TL;DR
CVE-2021-3918 is a prototype pollution vulnerability in the json-schema library that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of json-schema for JSON validation. The vulnerability is particularly dangerous because it can be exploited through malicious JSON input.
💻 Affected Systems
- json-schema
- Any software/library depending on json-schema
📦 What is this software?
Json Schema by Json Schema Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.
Likely Case
Denial of service through application crashes or memory corruption, potentially enabling privilege escalation in multi-user environments.
If Mitigated
Limited impact with proper input validation and sandboxing, though prototype pollution could still affect application behavior.
🎯 Exploit Status
Exploitation requires sending malicious JSON payloads to applications using vulnerable json-schema versions. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 22f146111f541d9737e832823699ad3528ca7741
Vendor Advisory: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
Restart Required: No
Instructions:
1. Update json-schema to version containing commit 22f146111f541d9737e832823699ad3528ca7741 or later. 2. Run 'npm update json-schema' or equivalent package manager command. 3. Verify update with version check. 4. Test application functionality after update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject JSON with suspicious patterns before passing to json-schema.
Object.freeze() on Prototypes
allUse Object.freeze() on critical object prototypes to prevent modification.
Object.freeze(Object.prototype);
Object.freeze(Array.prototype);
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy web application firewall (WAF) rules to block malicious JSON patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list json-schema' to see installed version. Compare against commit hash 22f146111f541d9737e832823699ad3528ca7741.Check Version:
npm list json-schema | grep json-schemaVerify Fix Applied:
Verify json-schema version is updated beyond vulnerable commit. Test with known malicious payloads to ensure they're rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON parsing errors
- Application crashes during JSON validation
- Suspicious JSON payloads in request logs
Network Indicators:
- Large or malformed JSON payloads to validation endpoints
- Repeated requests with similar JSON structures
SIEM Query:
source="application_logs" AND ("json-schema" OR "JSON validation") AND (error OR crash OR exception)🔗 References
- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html
- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
- https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html
- https://security.netapp.com/advisory/ntap-20250117-0004/
