Plattform
nodejs
Komponente
json-schema
Behoben in
0.3.1
0.4.0
CVE-2021-3918 describes a Prototype Pollution vulnerability affecting the json-schema library. This flaw allows attackers to modify object prototype attributes, potentially leading to denial of service or arbitrary code execution. This vulnerability affects json-schema versions prior to 0.4.0. Version 0.4.0 contains a fix for this issue.
Prototype Pollution vulnerabilities arise when an attacker can inject properties into the global Object.prototype or the prototypes of other built-in JavaScript objects. In the context of json-schema, this could allow an attacker to modify the behavior of the schema validation process. A successful exploitation could lead to denial-of-service by corrupting the object prototype, or, in more severe cases, potentially enable arbitrary code execution if the modified prototype is used in sensitive operations. The impact is particularly concerning in Node.js environments where json-schema is frequently used for data validation and configuration management.
CVE-2021-3918 was publicly disclosed on November 19, 2021. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of prototype pollution attacks against json-schema. The vulnerability's ease of exploitation and potential impact have made it a target for opportunistic attackers.
Exploit-Status
EPSS
1.26% (79% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-3918 is to upgrade the json-schema library to version 0.4.0 or later. If upgrading is not immediately feasible due to compatibility issues, consider implementing input validation and sanitization to prevent malicious data from reaching the json-schema library. While not a complete solution, restricting the input data to trusted sources can reduce the attack surface. Furthermore, consider using a Web Application Firewall (WAF) that can detect and block attempts to inject prototype pollution payloads. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but generic prototype pollution detection rules may be applicable.
Aktualisieren Sie die json-schema Bibliothek auf eine Version nach 0.3.0. Dies behebt die Prototype Pollution Schwachstelle. Sie können die Abhängigkeit mit npm oder yarn aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Prototype Pollution is an attack that allows an attacker to modify properties on the Object.prototype, impacting all object instances in JavaScript.
If you are using kriszyp/json-schema in a version prior to 0.4.0, your application is vulnerable. Review your code to identify where the library is used and if you process JSON data from untrusted sources.
Implementing additional validations on JSON input can help reduce the risk, but it is not a complete solution. Monitoring application logs is also important.
JSON schemas that attempt to modify properties of the Object.prototype, such as proto, constructor, or custom properties.
You can find more information in the NIST vulnerability database: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.