9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25915

GHSA ID

GHSA-2gqw-q9r9-7f79

EPSS Score

0.85861%

CWE

CWE-1321

Published

5/24/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-25915

CVE-2021-25915: Changeset vulnerable to prototype pollution

Overview

Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows attackers to cause a denial of service and may lead to remote code execution.

Details

The npm module 'changeset' can be abused by Prototype Pollution vulnerability since the function 'apply()' does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The 'apply()' function accepts 'changes, target, modify' as argument. Due to the absence of validation on the values passed into the 'changes' argument, an attacker can supply a malicious value by adjusting the value to include the 'proto' property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property 'polluted' will be directly be assigned to the new object thereby polluting the Object prototype. Using the example below, if there is a check to validate 'polluted' the valued later in the code, it would be substituted as "Yes! Its Polluted" as it had been polluted.

PoC Code

var changeset = require("changeset") const patch = [{
    type: 'put',
    key: ["__proto__", "polluted"],
    value: "Yes! Its Polluted"
}];
console.log("Before : " + {}.polluted);
changeset.apply(patch, {}, true);
console.log("After : " + {}.polluted);

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25915

GHSA ID

GHSA-2gqw-q9r9-7f79

EPSS Score

0.85861%

CWE

CWE-1321

Published

5/24/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
changeset	npm	>= 0.0.1, < 0.2.5	0.2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states the apply() function lacks type checking and prototype pollution protections.
The commit diff shows critical security checks were added to the apply() function in index.js:
- Added 'hasOwnProperty' checks before property traversal
- Added explicit 'proto' key filtering
The PoC demonstrates exploitation through the apply() function
The CWE-1321 mapping confirms this is a prototype pollution vulnerability in property assignment logic
The patch adds prototype pollution tests specifically targeting the apply() function's behavior

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in '***n**s*t' v*rsions *.*.* t*rou** *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** npm mo*ul* '***n**s*t' **n ** **us** *y Prototyp* Polluti

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly st*t*s t** *pply() *un*tion l**ks typ* ****kin* *n* prototyp* pollution prot**tions. *. T** *ommit *i** s*ows *riti**l s**urity ****ks w*r* ***** to t** *pply() *un*tion in in**x.js: - ***** '**sOwnProp*

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-25915: Changeset vulnerable to prototype pollution

Overview

Details

PoC Details

PoC Code

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI