Platform
nodejs
Component
jszip
Fixed in
3.7.0
3.7.0
CVE-2021-23413 describes a prototype pollution vulnerability affecting versions of jszip prior to 3.7.0. This vulnerability allows attackers to manipulate the prototype chain of JavaScript objects by crafting specially designed zip files. Successful exploitation could lead to unexpected behavior or even code execution within applications utilizing the vulnerable jszip library, impacting Node.js projects.
The core of this vulnerability lies in jszip's handling of filenames within zip archives. By crafting a zip file containing filenames that are reserved properties of the JavaScript Object prototype (such as proto, toString, or hasOwnProperty), an attacker can overwrite these properties. This modification can alter the behavior of objects created within the application, potentially allowing an attacker to inject malicious code or manipulate existing functionality. The impact can range from denial-of-service to remote code execution, depending on how the application utilizes the modified objects. This is a form of prototype pollution, a common attack vector in JavaScript applications.
CVE-2021-23413 was publicly disclosed on August 10, 2021. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.14% (34% percentile)
CVSS Vector
The primary mitigation for CVE-2021-23413 is to upgrade to jszip version 3.7.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on filenames extracted from zip archives to prevent the injection of prototype properties. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) that can detect and block requests containing malicious zip files with prototype-polluting filenames. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object behavior after zip file processing is recommended.
Update the jszip dependency to version 3.7.0 or higher. This corrects the denial-of-service vulnerability caused by Object prototype manipulation when creating zip files with malicious filenames.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-23413 is a prototype pollution vulnerability in jszip versions before 3.7.0. Attackers can manipulate JavaScript object prototypes by crafting malicious zip files, potentially leading to code execution.
If you are using jszip versions prior to 3.7.0 in your Node.js application, you are potentially affected by this vulnerability. Check your project dependencies to determine your jszip version.
Upgrade to jszip version 3.7.0 or later to remediate this vulnerability. This version includes a fix that prevents prototype pollution.
While no confirmed active exploitation campaigns have been publicly linked to this CVE, prototype pollution vulnerabilities are a known attack vector, and exploitation is possible.
Refer to the jszip GitHub repository for details and updates: https://github.com/jszip/jszip/issues/1823
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.