9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25944

GHSA ID

GHSA-h6xg-rg33-9mf4

EPSS Score

0.84812%

CWE

CWE-1321

Published

5/24/2022

Updated

4/22/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-25944

CVE-2021-25944: deep-defaults vulnerable to prototype pollution

Overview

Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module deep-defaults can be abused by Prototype Pollution vulnerability since the function _deepDefaults() does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC

The _deepDefaults () function accepts dest, src as arguments. Due to the absence of validation on the values passed into the src argument, an attacker can supply a malicious value by adjusting the value to include the __proto__ property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property polluted will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate polluted the valued would be substituted as "Yes! Its Polluted" as it had been polluted.

var deepDefaults = require("deep-defaults")
var malicious_payload = '{"__proto__":{"polluted":"Yes! Its Polluted"}}';
var obj ={};
console.log("Before : " + {}.polluted);
deepDefaults(obj, JSON.parse(malicious_payload));
console.log("After : " + {}.polluted);

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25944

GHSA ID

GHSA-h6xg-rg33-9mf4

EPSS Score

0.84812%

CWE

CWE-1321

Published

5/24/2022

Updated

4/22/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deep-defaults	npm	>= 1.0.0, <= 1.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies _deepDefaults as the vulnerable function. The function's implementation (visible in lib/index.js) shows it uses _.each to copy properties from src to dest without: 1) validating if the property key is proto or other sensitive prototype properties, 2) checking if properties belong to the object's own properties using hasOwnProperty or equivalent. This allows prototype pollution via malicious src input containing proto payloads, as demonstrated in the PoC. The confidence is high as the analysis matches both the vulnerability description and the actual code implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in '***p-****ults' v*rsions *.*.* t*rou** *.*.* *llows *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** NPM mo*ul* `***p-****ults` **n ** **us** *y Prototyp*

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s _***p****ults *s t** vuln*r**l* *un*tion. T** *un*tion's impl*m*nt*tion (visi*l* in li*/in**x.js) s*ows it us*s _.**** to *opy prop*rti*s *rom sr* to **st wit*out: *) v*li**tin* i* t** prop*rty k*

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-25944: deep-defaults vulnerable to prototype pollution

Overview

Details

PoC

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI