Plattform
nodejs
Komponente
jszip
Behoben in
3.7.0
3.7.0
CVE-2021-23413 describes a prototype pollution vulnerability affecting versions of jszip prior to 3.7.0. This vulnerability allows attackers to manipulate the prototype chain of JavaScript objects by crafting specially designed zip files. Successful exploitation could lead to unexpected behavior or even code execution within applications utilizing the vulnerable jszip library, impacting Node.js projects.
The core of this vulnerability lies in jszip's handling of filenames within zip archives. By crafting a zip file containing filenames that are reserved properties of the JavaScript Object prototype (such as proto, toString, or hasOwnProperty), an attacker can overwrite these properties. This modification can alter the behavior of objects created within the application, potentially allowing an attacker to inject malicious code or manipulate existing functionality. The impact can range from denial-of-service to remote code execution, depending on how the application utilizes the modified objects. This is a form of prototype pollution, a common attack vector in JavaScript applications.
CVE-2021-23413 was publicly disclosed on August 10, 2021. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact. It is not listed on the CISA KEV catalog as of this writing.
Node.js applications that utilize the jszip library for zip file handling are at risk. This includes web applications, command-line tools, and any other JavaScript environment leveraging jszip. Projects using older versions of jszip, particularly those without robust input validation, are especially vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Path, CPU• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter 'jszip*' | Select-Object FullName• generic web: Inspect Node.js application logs for errors related to object property modifications or unexpected behavior after zip file processing.
disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-23413 is to upgrade to jszip version 3.7.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on filenames extracted from zip archives to prevent the injection of prototype properties. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) that can detect and block requests containing malicious zip files with prototype-polluting filenames. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object behavior after zip file processing is recommended.
Actualice la dependencia jszip a la versión 3.7.0 o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por la manipulación del prototipo de Object al crear archivos zip con nombres de archivo maliciosos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-23413 is a prototype pollution vulnerability in jszip versions before 3.7.0. Attackers can manipulate JavaScript object prototypes by crafting malicious zip files, potentially leading to code execution.
If you are using jszip versions prior to 3.7.0 in your Node.js application, you are potentially affected by this vulnerability. Check your project dependencies to determine your jszip version.
Upgrade to jszip version 3.7.0 or later to remediate this vulnerability. This version includes a fix that prevents prototype pollution.
While no confirmed active exploitation campaigns have been publicly linked to this CVE, prototype pollution vulnerabilities are a known attack vector, and exploitation is possible.
Refer to the jszip GitHub repository for details and updates: https://github.com/jszip/jszip/issues/1823
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.