Miggo Logo
Miggo Vulnerability Database
CVE-2021-44908

CVE-2021-44908: Prototype Pollution in Sails.js

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-44908
GHSA ID
GHSA-8v3j-jfg3-v3fv
EPSS Score
0.61855%
CWE
CWE-1321
Published
3/18/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
sailsnpm<= 1.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the loadActionModules() function's handling of dynamically loaded action files. The code uses unsanitized file paths to create action identities (line 163: actionsLoadedFromDisk[actionIdentity] = true). If an attacker controls the file path (e.g., via malicious file creation), they can set actionIdentity to a prototype property like __proto__.polluted, leading to prototype pollution. This matches the CWE-1321 pattern and is explicitly referenced in the advisory's code link to line 32 of load-action-modules.js (though the critical logic occurs later in the file). The GitHub issue #7209 confirms the else-if block (lines 134-165) contains the vulnerable assignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ils.js <= *.*.* is vuln*r**l* to Prototyp* Pollution vi* *ontroll*r/lo**-**tion-mo*ul*s.js, *un*tion lo****tionMo*ul*s(). * [p*t**](*ttps://*it*u*.*om/**l**r**s*y/s*ils/*ommit/****************************************) is *v*il**l* in t** `m*st*r` *

Reasoning

T** vuln*r**ility st*ms *rom t** `lo****tionMo*ul*s()` *un*tion's **n*lin* o* *yn*mi**lly lo**** **tion *il*s. T** *o** us*s uns*nitiz** *il* p*t*s to *r**t* **tion i**ntiti*s (lin* ***: `**tionsLo*****rom*isk[**tionI**ntity] = tru*`). I* *n *tt**k*r