CVE-2021-23663: Prototype Pollution in sey
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64032%
CWE
Published
12/16/2021
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sey | npm | <= 0.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is explicitly attributed to the deepmerge function in all advisory sources. The PoC demonstrates prototype pollution through this function by merging a malicious payload containing proto properties. The file path is confirmed via the PoC's require('sey/lib/utils/deepmerge.js') statement. The function's recursive merging logic likely lacks checks for prototype-modifying properties like proto, constructor, or prototype.