Fix CVE–2021–43138

[debricked]

CVE–2021–43138

Vulnerable dependency:     async (npm)    2.6.3    1.5.2    2.6.1

Vulnerability details

Description

NVD

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

GitHub

Prototype Pollution in async

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

CVSS details - 7.8

 

CVSS3 metrics
Attack Vector	Local
Attack Complexity	Low
Privileges Required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    THIRD PARTY
    async/CHANGELOG.md at v2.6.4 · caolan/async · GitHub
    Prototype Pollution in async · CVE-2021-43138 · GitHub Advisory Database · GitHub
    Fix prototype pollution vulnerability · caolan/async@e1ecdbf · GitHub
    async/iterator.js at master · caolan/async · GitHub
    Edit fiddle - JSFiddle - Code Playground
    async/mapValuesLimit.js at master · caolan/async · GitHub
    Fix prototype pollution vulnerability (#1828) · caolan/async@8f7f903 · GitHub
    Fix prototype pollution vulnerability by mriedem · Pull Request #1828 · caolan/async · GitHub
    Comparing v2.6.3...v2.6.4 · caolan/async · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE