Miggo Logo

CVE-2021-25915: Changeset vulnerable to prototype pollution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.85861%
Published
5/24/2022
Updated
10/19/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
changesetnpm>= 0.0.1, < 0.2.50.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly states the apply() function lacks type checking and prototype pollution protections.
  2. The commit diff shows critical security checks were added to the apply() function in index.js:
    • Added 'hasOwnProperty' checks before property traversal
    • Added explicit 'proto' key filtering
  3. The PoC demonstrates exploitation through the apply() function
  4. The CWE-1321 mapping confirms this is a prototype pollution vulnerability in property assignment logic
  5. The patch adds prototype pollution tests specifically targeting the apply() function's behavior

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in '***n**s*t' v*rsions *.*.* t*rou** *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** npm mo*ul* '***n**s*t' **n ** **us** *y Prototyp* Polluti

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly st*t*s t** *pply() *un*tion l**ks typ* ****kin* *n* prototyp* pollution prot**tions. *. T** *ommit *i** s*ows *riti**l s**urity ****ks w*r* ***** to t** *pply() *un*tion in in**x.js: - ***** '**sOwnProp*