CVE-2022-21231 – CVE-2022-21231 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2022-21231?

CVE-2022-21231 has a CVSS score of 7.5 (HIGH). CVE-2022-21231 is a prototype pollution vulnerability in the deep-get-set npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of deep-get-set. The vulnerability results from an incomplete fix of CVE-2020-7715.

📋 TL;DR

CVE-2022-21231 is a prototype pollution vulnerability in the deep-get-set npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of deep-get-set. The vulnerability results from an incomplete fix of CVE-2020-7715.

💻 Affected Systems

Products:

deep-get-set npm package

Versions: All versions

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using deep-get-set with user-controlled input is vulnerable. The vulnerability is in the package itself, not dependent on specific configurations.

📦 What is this software?

Deep Get Set by Deep Get Set Project

View all CVEs affecting Deep Get Set →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service, application crashes, or limited privilege escalation within the application context

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability

🌐 Internet-Facing: HIGH - Web applications using this package could be exploited remotely without authentication

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Prototype pollution exploits are well-documented and relatively easy to weaponize. The incomplete fix of CVE-2020-7715 suggests similar exploitation patterns apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: No fixed version available - package is deprecated

Vendor Advisory: https://snyk.io/vuln/SNYK-JS-DEEPGETSET-2342655

Restart Required: Yes

Instructions:

1. Remove deep-get-set from package.json. 2. Run 'npm uninstall deep-get-set'. 3. Replace with alternative package like lodash.get or implement custom solution. 4. Restart all affected applications.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap deep-get-set calls with strict input validation to prevent prototype pollution

// JavaScript implementation: validate input objects before passing to deep function

Object.freeze on prototypes

all

Freeze Object.prototype and other base prototypes to prevent modification

Object.freeze(Object.prototype);
Object.freeze(Object);
Object.freeze(Array.prototype);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled data passed to deep-get-set functions
Isolate applications using deep-get-set in containers or sandboxes with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for deep-get-set dependency. Run 'npm list deep-get-set' to see if installed.

Check Version:

npm list deep-get-set

Verify Fix Applied:

Verify deep-get-set is removed from package.json and node_modules. Run 'npm list deep-get-set' to confirm not installed.

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes
Unexpected prototype modifications in logs
Memory exhaustion errors

Network Indicators:

Unusual outbound connections from Node.js processes
Increased error rates in web applications

SIEM Query:

source="application_logs" AND ("deep-get-set" OR "prototype pollution" OR "CVE-2022-21231")

📊 Metadata

CVE ID: CVE-2022-21231

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

Published: June 24, 2022

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-DEEPGETSET-2342655 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DEEPGETSET-2342655 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21231, you might also want to check these: