CVE-2023-2972 – CVE-2023-2972 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-2972?

CVE-2023-2972 has a CVSS score of 9.8 (CRITICAL). CVE-2023-2972 is a prototype pollution vulnerability in antfu/utils library versions prior to 0.7.3. This allows attackers to inject properties into JavaScript objects, potentially leading to remote code execution, denial of service, or privilege escalation. Anyone using vulnerable versions of this utility library in their Node.js applications is affected.

📋 TL;DR

CVE-2023-2972 is a prototype pollution vulnerability in antfu/utils library versions prior to 0.7.3. This allows attackers to inject properties into JavaScript objects, potentially leading to remote code execution, denial of service, or privilege escalation. Anyone using vulnerable versions of this utility library in their Node.js applications is affected.

💻 Affected Systems

Products:

antfu/utils

Versions: All versions prior to 0.7.3

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable functions from the antfu/utils library.

📦 What is this software?

Utils by Antfu

View all CVEs affecting Utils →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service, application crashes, or limited data manipulation depending on how the library is used.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often easily exploitable with public proof-of-concepts available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.3 and later

Vendor Advisory: https://github.com/antfu/utils/commit/7f8b16c6181c988bdb96613fbb2533b345f68682

Restart Required: Yes

Instructions:

1. Update package.json to use antfu/utils version 0.7.3 or higher. 2. Run 'npm update antfu/utils' or 'yarn upgrade antfu/utils'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Wrap vulnerable functions with input validation to reject malicious payloads

Object.freeze Prototype

all

Freeze Object.prototype to prevent property injection

Object.freeze(Object.prototype)

🧯 If You Can't Patch

Implement strict input validation for all user-controlled data passed to antfu/utils functions
Use application-level firewalls or WAF rules to block suspicious object manipulation patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for antfu/utils version. If version is less than 0.7.3, you are vulnerable.

Check Version:

npm list antfu/utils | grep antfu/utils || yarn list antfu/utils | grep antfu/utils

Verify Fix Applied:

After updating, verify the installed version is 0.7.3 or higher using 'npm list antfu/utils' or 'yarn list antfu/utils'.

📡 Detection & Monitoring

Log Indicators:

Unusual object property modifications
Application crashes with prototype-related errors
Unexpected function executions

Network Indicators:

HTTP requests with specially crafted JSON payloads
Unusual API calls to utility functions

SIEM Query:

source="application.logs" AND ("prototype" OR "__proto__") AND ("antfu" OR "utils")

📊 Metadata

CVE ID: CVE-2023-2972

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: May 30, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2972, you might also want to check these: