Fix CVE–2021–43138

[debricked]

CVE–2021–43138

Vulnerability details

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

NVD

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

GitHub

Prototype Pollution in async

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

CVSS details - 7.8

 

CVSS3 metrics
Attack Vector	Local
Attack Complexity	Low
Privileges Required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in async · CVE-2021-43138 · GitHub Advisory Database · GitHub
    async/CHANGELOG.md at v2.6.4 · caolan/async · GitHub
    NVD - CVE-2021-43138
    Fix prototype pollution vulnerability · caolan/async@e1ecdbf · GitHub
    async/iterator.js at master · caolan/async · GitHub
    Edit fiddle - JSFiddle - Code Playground
    async/mapValuesLimit.js at master · caolan/async · GitHub
    Fix prototype pollution vulnerability (#1828) · caolan/async@8f7f903 · GitHub
    Fix prototype pollution vulnerability by mriedem · Pull Request #1828 · caolan/async · GitHub
    Comparing v2.6.3...v2.6.4 · caolan/async · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE