Miggo Logo
Miggo Vulnerability Database
CVE-2021-23624

CVE-2021-23624:
Prototype Pollution in dotty

5.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23624
GHSA ID
GHSA-6g47-63mv-qpgh
EPSS Score
0.61565%
CWE
CWE-843
Published
11/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
dottynpm< 0.1.20.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the patch commit which modified the 'put' function to explicitly cast path.shift() to a string (var key = "" + path.shift()). This addresses type confusion vulnerabilities where array elements could be interpreted as object prototype references. The added security tests specifically validate() against array-based prototype pollution attempts, and the CVE description explicitly calls out array-based path parameters as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *otty ***or* *.*.*. * typ* *on*usion vuln*r**ility **n l*** to * *yp*ss o* *V*-****-***** w**n t** us*r-provi*** k*ys us** in t** p*t* p*r*m*t*r *r* *rr*ys.

Reasoning

T** k*y *vi**n** *om*s *rom t** p*t** *ommit w*i** mo*i*i** t** 'put' *un*tion to *xpli*itly **st `p*t*.s*i*t()` to * strin* (v*r k*y = "" + `p*t*.s*i*t()`). T*is ***r*ss*s typ* *on*usion vuln*r**iliti*s w**r* *rr*y *l*m*nts *oul* ** int*rpr*t** *s o