Miggo Logo
Miggo Vulnerability Database
CVE-2021-23421

CVE-2021-23421: Prototype Pollution in merge-change

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23421
GHSA ID
GHSA-f9cv-665r-275h
EPSS Score
0.66305%
CWE
CWE-915
Published
9/1/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
merge-changenpm<= 1.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly documented in advisories as existing in utils.set. Analysis of the code shows it handles user-controlled path parameters recursively, creates new object properties dynamically, and lacks prototype pollution safeguards like path validation or Object.create(null) usage. The function's structure matches known prototype pollution patterns where attacker-controlled paths can modify prototype properties.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll *urr*nt v*rsions o* p**k*** m*r**-***n** *r* vuln*r**l* to Prototyp* Pollution vi* t** utils.s*t *un*tion.

Reasoning

T** vuln*r**ility is *xpli*itly *o*um*nt** in **visori*s *s *xistin* in `utils.s*t`. *n*lysis o* t** *o** s*ows it **n*l*s us*r-*ontroll** p*t* p*r*m*t*rs r**ursiv*ly, *r**t*s n*w o*j**t prop*rti*s *yn*mi**lly, *n* l**ks prototyp* pollution s****u*r*