Login Sign Up

CVE-2021-44908

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

This CVE describes a prototype pollution vulnerability in Sails.js versions up to 1.4.0 that allows attackers to modify JavaScript object prototypes. This can lead to remote code execution, denial of service, or privilege escalation. All applications using vulnerable Sails.js versions are affected.

💻 Affected Systems

Products:
  • Sails.js
Versions: <=1.4.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected Sails.js versions are vulnerable regardless of configuration.

📦 What is this software?

Sails by Sailsjs

View all CVEs affecting Sails →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Denial of service, privilege escalation, or arbitrary code execution within the application context.

🟢

If Mitigated

Limited impact if proper input validation and security controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept code is publicly available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/balderdashy/sails/issues/7209

Restart Required: Yes

Instructions:

1. Update Sails.js to version 1.4.1 or later using npm update sails. 2. Restart the application server. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input validation middleware

all

Implement strict input validation to prevent malicious payloads from reaching vulnerable functions

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block prototype pollution patterns
  • Isolate vulnerable applications in network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check package.json for Sails.js version <=1.4.0 or run npm list sails in the application directory

Check Version:

npm list sails | grep sails

Verify Fix Applied:

Verify Sails.js version is 1.4.1 or higher using npm list sails

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript object modifications
  • Unexpected prototype property assignments
  • Application crashes with prototype-related errors

Network Indicators:

  • HTTP requests with unusual JSON payloads containing __proto__ or constructor properties

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor" OR "prototype pollution")

📊 Metadata

CVE ID: CVE-2021-44908
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: March 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44908, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)