CVE-2021-23663: Prototype Pollution in sey
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64032%
CWE
Published
12/16/2021
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
JavaScriptTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| sey | npm | <= 0.3.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability is explicitly attributed to the deepmerge function in all advisory sources. The PoC demonstrates prototype pollution through this function by merging a malicious payload containing proto properties. The file path is confirmed via the PoC's require('sey/lib/utils/deepmerge.js') statement. The function's recursive merging logic likely lacks checks for prototype-modifying properties like proto, constructor, or prototype.