Miggo Logo
Miggo Vulnerability Database
CVE-2021-23432

CVE-2021-23432: Prototype Pollution in mootools

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23432
GHSA ID
GHSA-x6hx-7gh3-3q98
EPSS Score
0.53165%
CWE
CWE-1321
Published
9/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mootoolsnpm<= 1.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to Object.merge() in all sources. The Snyk PoC demonstrates prototype pollution via Object.merge({}, malicious_payload), and the CWE-1321 description matches this behavior. As mootools' merge implementation doesn't filter special prototype properties like proto, it meets all criteria for a prototype pollution vector. No other functions are mentioned in advisories as contributing to this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** mootools. T*is is *u* to t** **ility to p*ss untrust** input to O*j**t.m*r**()

Reasoning

T** vuln*r**ility is *xpli*itly ti** to O*j**t.m*r**() in *ll sour**s. T** Snyk Po* **monstr*t*s prototyp* pollution vi* O*j**t.m*r**({}, m*li*ious_p*ylo**), *n* t** *W*-**** **s*ription m*t***s t*is ****vior. *s mootools' m*r** impl*m*nt*tion *o*sn'