Login Sign Up

CVE-2021-43852

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-43852 is a prototype pollution vulnerability in OroPlatform that allows attackers to inject malicious properties into JavaScript prototypes via specially crafted requests. This could lead to JavaScript code execution in libraries vulnerable to prototype pollution. Affects OroPlatform users running versions before 4.2.8.

💻 Affected Systems

Products:
  • OroPlatform
Versions: Versions before 4.2.8
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments of vulnerable OroPlatform versions regardless of configuration.

📦 What is this software?

Oroplatform by Oroinc

View all CVEs affecting Oroplatform →

Oroplatform by Oroinc

View all CVEs affecting Oroplatform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the environment.

🟠

Likely Case

JavaScript code execution in the context of the web application, potentially leading to session hijacking, data manipulation, or privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and firewall rules blocking malicious payloads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific requests with prototype pollution payloads but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.8

Vendor Advisory: https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj

Restart Required: Yes

Instructions:

1. Backup your OroPlatform installation. 2. Update to version 4.2.8 or later via composer: 'composer require oro/platform:^4.2.8'. 3. Clear cache: 'php bin/console cache:clear'. 4. Restart web server.

🔧 Temporary Workarounds

Firewall Rule to Block Prototype Pollution Payloads

all

Configure web application firewall to drop requests containing prototype pollution strings

# Example for Apache mod_security: SecRule ARGS "@rx (__proto__|constructor\[prototype\]|constructor\.prototype)" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Implement strict input validation to reject requests containing __proto__, constructor[prototype], or constructor.prototype strings
  • Deploy web application firewall with rules to block prototype pollution payloads

🔍 How to Verify

Check if Vulnerable:

Check OroPlatform version via composer: 'composer show oro/platform | grep version'

Check Version:

composer show oro/platform | grep version

Verify Fix Applied:

Verify version is 4.2.8 or higher and test with sample payloads containing __proto__ strings

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing __proto__, constructor[prototype], or constructor.prototype strings
  • Unusual JavaScript errors or prototype modifications in application logs

Network Indicators:

  • HTTP requests with prototype pollution payloads in parameters or headers

SIEM Query:

source="web_logs" AND ("__proto__" OR "constructor[prototype]" OR "constructor.prototype")

📊 Metadata

CVE ID: CVE-2021-43852
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
CWE: CWE-74
Published: January 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43852, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)