7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4279

GHSA ID

GHSA-8gh8-hqwg-xf34

EPSS Score

0.29446%

CWE

CWE-1321

Published

12/25/2022

Updated

3/1/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-4279

CVE-2021-4279: Starcounter-Jack JSON-Patch Prototype Pollution vulnerability

A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 can address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4279

GHSA ID

GHSA-8gh8-hqwg-xf34

EPSS Score

0.29446%

CWE

CWE-1321

Published

12/25/2022

Updated

3/1/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fast-json-patch	npm	< 3.1.1	3.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient validation in the applyOperation function across all implementations (TypeScript, CommonJS, and ESM). The commit diff shows the fix added checks for both __proto__ and constructor/prototype path segments. Prior to the patch, these functions allowed modification of prototype attributes via nested keys, as demonstrated in the PoC using paths like /constructor/prototype/polluted. The functions' role in processing JSON Patch operations made them the entry point for uncontrolled prototype modifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in St*r*ount*r-J**k JSON-P*t** up to *.*.* *n* *l*ssi*i** *s pro*l*m*ti*. T*is vuln*r**ility *****ts unknown *o**. T** m*nipul*tion l***s to improp*rly *ontroll** mo*i*i**tion o* o*j**t prototyp* *ttri*ut*s ('prototyp*

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt v*li**tion in t** `*pplyOp*r*tion` *un*tion **ross *ll impl*m*nt*tions (Typ*S*ript, *ommonJS, *n* *SM). T** *ommit *i** s*ows t** *ix ***** ****ks *or *ot* `__proto__` *n* `*onstru*tor/prototyp*` p*t* s**m*

7.3

Basic Information

Concerned about an active attack path?

CVE-2021-4279: Starcounter-Jack JSON-Patch Prototype Pollution vulnerability

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI