3.7.0
3.7.0
CVE-2021-23413 describes a prototype pollution vulnerability affecting versions of jszip prior to 3.7.0. This vulnerability allows attackers to manipulate the prototype chain of JavaScript objects by crafting specially designed zip files. Successful exploitation could lead to unexpected behavior or even code execution within applications utilizing the vulnerable jszip library, impacting Node.js projects.
The core of this vulnerability lies in jszip's handling of filenames within zip archives. By crafting a zip file containing filenames that are reserved properties of the JavaScript Object prototype (such as proto, toString, or hasOwnProperty), an attacker can overwrite these properties. This modification can alter the behavior of objects created within the application, potentially allowing an attacker to inject malicious code or manipulate existing functionality. The impact can range from denial-of-service to remote code execution, depending on how the application utilizes the modified objects. This is a form of prototype pollution, a common attack vector in JavaScript applications.
CVE-2021-23413 was publicly disclosed on August 10, 2021. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact. It is not listed on the CISA KEV catalog as of this writing.
Node.js applications that utilize the jszip library for zip file handling are at risk. This includes web applications, command-line tools, and any other JavaScript environment leveraging jszip. Projects using older versions of jszip, particularly those without robust input validation, are especially vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Path, CPU• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter 'jszip*' | Select-Object FullName• generic web: Inspect Node.js application logs for errors related to object property modifications or unexpected behavior after zip file processing.
disclosure
漏洞利用状态
EPSS
0.14% (34% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-23413 is to upgrade to jszip version 3.7.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on filenames extracted from zip archives to prevent the injection of prototype properties. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) that can detect and block requests containing malicious zip files with prototype-polluting filenames. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object behavior after zip file processing is recommended.
将 jszip 依赖项升级到 3.7.0 或更高版本。这修复了由于创建具有恶意文件名的 zip 文件时操纵 Object 原型而导致的拒绝服务漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-23413 is a prototype pollution vulnerability in jszip versions before 3.7.0. Attackers can manipulate JavaScript object prototypes by crafting malicious zip files, potentially leading to code execution.
If you are using jszip versions prior to 3.7.0 in your Node.js application, you are potentially affected by this vulnerability. Check your project dependencies to determine your jszip version.
Upgrade to jszip version 3.7.0 or later to remediate this vulnerability. This version includes a fix that prevents prototype pollution.
While no confirmed active exploitation campaigns have been publicly linked to this CVE, prototype pollution vulnerabilities are a known attack vector, and exploitation is possible.
Refer to the jszip GitHub repository for details and updates: https://github.com/jszip/jszip/issues/1823