Miggo Logo

CVE-2021-20083: jquery-plugin-query-object contains prototype pollution vulnerability

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.91016%
Published
5/24/2022
Updated
7/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
jquery-query-objectnpm<= 2.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how user-controlled query parameters are processed: 1) parseNew handles raw URL parameters and passes them to SET 2) SET uses the parse function which splits keys into base/tokens using regex 3) When base is proto and tokens contain properties, this leads to prototype pollution. The PoC demonstrates this with ?proto[test]=test payload modifying Object.prototype. The code structure shown in BlackFan's analysis confirms the lack of prototype validation in property assignment paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*rly *ontroll** Mo*i*i**tion o* O*j**t Prototyp* *ttri*ut*s ('Prototyp* Pollution') in jqu*ry-plu*in-qu*ry-o*j**t *.*.* *llows * m*li*ious us*r to inj**t prop*rti*s into O*j**t.prototyp*.

Reasoning

T** vuln*r**ility st*ms *rom *ow us*r-*ontroll** qu*ry p*r*m*t*rs *r* pro**ss**: *) p*rs*N*w **n*l*s r*w URL p*r*m*t*rs *n* p*ss*s t**m to S*T *) S*T us*s t** p*rs* *un*tion w*i** splits k*ys into **s*/tok*ns usin* r***x *) W**n **s* is __proto__ *n*