Prototype pollution in msgpack5 - CVE-2021-21368
Published: June 2, 2023
Vulnerability identifier: #VU76823
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21368
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
msgpack5
msgpack5
Software vendor:
mcollina
mcollina
Description
The vulnerability allows a remote user to execute arbitrary JavaScript code.
The vulnerability occrures when msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. A remote user can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
External links
- https://github.com/mcollina/msgpack5/releases/tag/v3.6.1
- https://github.com/mcollina/msgpack5/releases/tag/v5.2.1
- https://github.com/mcollina/msgpack5/releases/tag/v4.5.1
- https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8
- https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm
- https://www.npmjs.com/package/msgpack5