Login Sign Up

CVE-2021-42581

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2021-42581 is a prototype pollution vulnerability in Ramda's mapObjIndexed function that allows attackers to modify JavaScript object prototypes by supplying crafted objects containing '__proto__' properties. This affects applications using Ramda 0.27.0 or earlier, potentially compromising application integrity or availability. The vendor disputes the severity, arguing it only allows users to create objects with custom prototypes they didn't anticipate.

💻 Affected Systems

Products:
  • Ramda
Versions: 0.27.0 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using vulnerable Ramda versions, regardless of configuration.

📦 What is this software?

Ramda by Ramdajs

View all CVEs affecting Ramda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application compromise through prototype pollution leading to remote code execution, denial of service, or data corruption.

🟠

Likely Case

Application instability, unexpected behavior, or denial of service through prototype chain manipulation.

🟢

If Mitigated

Limited impact with proper input validation and sanitization in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available via provided jsfiddle links. Exploitation requires attacker to control input to mapObjIndexed function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.27.1 and later

Vendor Advisory: https://github.com/ramda/ramda/pull/3192

Restart Required: No

Instructions:

1. Update Ramda dependency to version 0.27.1 or later. 2. Run 'npm update ramda' or 'yarn upgrade ramda'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject objects containing '__proto__' properties before passing to mapObjIndexed.

Object.freeze on Object.prototype

all

Prevent prototype pollution by freezing Object.prototype (may break legitimate functionality).

Object.freeze(Object.prototype)

🧯 If You Can't Patch

  • Implement strict input validation to reject objects with '__proto__' properties
  • Use alternative functions that don't have prototype pollution issues

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for Ramda version 0.27.0 or earlier.

Check Version:

npm list ramda | grep ramda

Verify Fix Applied:

Verify Ramda version is 0.27.1 or later in package.json and node_modules.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual object property modifications
  • Prototype-related errors

Network Indicators:

  • Requests containing '__proto__' in payloads

SIEM Query:

search '__proto__' in web application logs or payloads

📊 Metadata

CVE ID: CVE-2021-42581
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-1321
Published: May 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42581, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)