Listen to this Post
How the CVE Works
CVE-2021-23343 is a prototype pollution vulnerability in Node.js versions before 16.4.1, 14.17.2, and 12.22.2. The issue arises due to improper input validation in the `qs` library, a dependency used for parsing query strings. Attackers can craft malicious query strings containing `__proto__` or other prototype-polluting properties. When parsed, these properties are merged into the target object’s prototype, modifying default JavaScript object behavior. This can lead to denial of service, privilege escalation, or remote code execution depending on how the application processes user input.
DailyCVE Form
Platform: Node.js
Version: <16.4.1, <14.17.2, <12.22.2
Vulnerability: Prototype Pollution
Severity: High
Date: 2021-06-15
Prediction: Patch expected by 2021-06-30
What Undercode Say
npm audit npm update qs
const qs = require('qs');
qs.parse(input, { allowPrototypes: false });
How Exploit
GET /?<strong>proto</strong>[bash]=true HTTP/1.1
if (Object.prototype.polluted) {
console.log("Exploited!");
}
Protection from this CVE
- Update Node.js to v16.4.1, 14.17.2, or 12.22.2.
- Use `qs` with
allowPrototypes: false. - Sanitize user input before parsing.
Impact
- Remote Code Execution
- Privilege Escalation
- Denial of Service
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
