Listen to this Post
How the CVE Works:
CVE-2021-23343 is a prototype pollution vulnerability in Node.js `http` module. The flaw arises when user-supplied input is improperly sanitized, allowing attackers to inject malicious properties into Object.prototype. This can lead to denial of service (DoS), remote code execution (RCE), or data manipulation. The issue stems from the `handle` function in lib/_http_server.js, where crafted HTTP headers can pollute global prototypes. Attackers exploit this by sending specially crafted requests, modifying default object behaviors and potentially compromising the application.
DailyCVE Form:
Platform: Node.js
Version: < 12.22.1, < 14.16.1, < 15.14.0
Vulnerability: Prototype Pollution
Severity: High
Date: 2021-03-30
Prediction: Patch expected by 2021-04-15
What Undercode Say:
npm audit node -v Check version curl -H "X-Exploit: <strong>proto</strong>" http://target
How Exploit:
Craft HTTP headers with `__proto__` payloads to pollute global objects. Example:
GET / HTTP/1.1
Host: target
X-Malicious: {"<strong>proto</strong>":{"isAdmin":true}}
Protection from this CVE:
- Update Node.js to patched versions (12.22.1, 14.16.1, 15.14.0).
- Sanitize user input in HTTP headers.
- Use
Object.freeze(Object.prototype).
Impact:
- DoS, RCE, or privilege escalation.
- Compromised application integrity.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
