Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-23509

CVE-2021-23509:
Prototype Pollution in json-ptr

5.6

CVSS Score

Basic Information

CVE ID
CVE-2021-23509
GHSA ID
GHSA-8gwj-8hxc-285w
EPSS Score
-
CWE
CWE-843
Published
11/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
json-ptrnpm< 3.0.03.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical validation was added to both functions: 1) Type checks for path segments (string/number) to prevent array-based type confusion 2) Explicit blocking of proto/constructor/prototype paths. The added tests demonstrate these were the vectors for prototype pollution. The vulnerability description specifically mentions array-based keys bypassing previous protections (CVE-2020-7766), which aligns with the missing type checks in these functions' path parameter handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** `json-ptr` ***or* `*.*.*`. * typ* *on*usion vuln*r**ility **n l*** to * *yp*ss o* *V*-****-**** w**n t** us*r-provi*** k*ys us** in t** point*r p*r*m*t*r *r* *rr*ys.

Reasoning

T** *ommit *i** s*ows *riti**l v*li**tion w*s ***** to *ot* *un*tions: *) Typ* ****ks *or p*t* s**m*nts (strin*/num**r) to pr*v*nt *rr*y-**s** typ* *on*usion *) *xpli*it *lo*kin* o* __proto__/*onstru*tor/prototyp* p*t*s. T** ***** t*sts **monstr*t* t