Platform
nodejs
Component
json-schema
Fixed in
0.3.1
0.4.0
CVE-2021-3918 describes a Prototype Pollution vulnerability affecting the json-schema library. This flaw allows attackers to modify object prototype attributes, potentially leading to denial of service or arbitrary code execution. This vulnerability affects json-schema versions prior to 0.4.0. Version 0.4.0 contains a fix for this issue.
CVE-2021-3918 in the kriszyp/json-schema library, versions prior to 0.4.0, exposes applications to 'Prototype Pollution' attacks. This vulnerability allows an attacker to modify properties on the Object.prototype, potentially impacting all object instances within JavaScript. This can lead to unexpected behavior, application errors, or even malicious code execution if these polluted properties are used in critical application logic. The CVSS score of 9.8 indicates a critical risk, signifying relatively easy exploitation and potentially devastating impact. The vulnerability stems from how the library processes JSON schemas that allow modification of prototype properties. Upgrading to version 0.4.0 or higher is crucial to mitigate this risk.
The vulnerability can be exploited by sending malicious JSON schemas to the kriszyp/json-schema library. These schemas are designed to modify properties of the Object.prototype. The attacker needs control over the JSON input passed to the library. Exploitation is more likely in applications processing JSON data from untrusted sources, such as external APIs or user input. The complexity of exploitation depends on the application's configuration and implemented validations. Lack of JSON input validation is a key factor facilitating exploitation. The subtle nature of prototype pollution makes exploitation difficult to detect, increasing the risk.
Exploit Status
EPSS
1.26% (79% percentile)
CVSS Vector
The most effective mitigation for CVE-2021-3918 is to update the kriszyp/json-schema library to version 0.4.0 or later. This version includes a fix that prevents prototype pollution. If an immediate update is not possible, carefully review the code that uses this library, looking for patterns susceptible to prototype pollution. Implementing additional validations on JSON input can help reduce the risk, although it is not a complete solution. Monitoring application logs for anomalous behavior related to object manipulation can also aid in detecting and responding to potential attacks. Penetration testing is recommended to identify potential weaknesses.
Update the json-schema library to a version later than 0.3.0. This will resolve the Prototype Pollution vulnerability. You can update the dependency using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
Prototype Pollution is an attack that allows an attacker to modify properties on the Object.prototype, impacting all object instances in JavaScript.
If you are using kriszyp/json-schema in a version prior to 0.4.0, your application is vulnerable. Review your code to identify where the library is used and if you process JSON data from untrusted sources.
Implementing additional validations on JSON input can help reduce the risk, but it is not a complete solution. Monitoring application logs is also important.
JSON schemas that attempt to modify properties of the Object.prototype, such as proto, constructor, or custom properties.
You can find more information in the NIST vulnerability database: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.