Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-21368

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Published: Mar 12, 2021 | Modified: Nov 21, 2024
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-21368
CWEhttps://cwe.mitre.org/data/definitions/915.html

msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a Prototype Poisoning vulnerability. When msgpack5 decodes a map containing a key proto, it assigns the decoded value to proto. Object.prototype.proto is an accessor property for the receivers prototype. If the value corresponding to the key proto decodes to an object or null, msgpack5 sets the decoded objects prototype to that value. An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the proto value decodes to a Map or Date). Other unexpected behavior might be produced for other types. There is no effect on the global prototype. This prototype poisoning is sort of a very limited inversion of a prototype pollution attack. Only the decoded values prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumers code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced GitHub Security Advisory for an example and more details.

Weakness

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Affected Software

Name Vendor Start Version End Version
Msgpack5 Msgpack5_project * 3.6.1 (excluding)
Msgpack5 Msgpack5_project 4.0.0 (including) 4.5.1 (excluding)
Msgpack5 Msgpack5_project 5.0.0 (including) 5.2.1 (excluding)

Extended Description

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Potential Mitigations

  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use