CVE-2021-20085

Vulnerability

CVE-2021-20085 is a prototype pollution vulnerability in the backbone-query-parameters library version 0.4.0. The _extractParameters function in backbone.queryparams.js [2] calls _setParamValue with user-controlled query string keys, which splits on . and assigns nested properties without adequate validation, enabling injection into Object.prototype.

Exploitation

An attacker can trigger the vulnerability by crafting a URL with query parameters containing keys like __proto__.test=value or constructor.prototype.test=value [2]. The PoC demonstrates that when a Backbone Router processes such a URL, the malicious key traverses the prototype chain and sets arbitrary properties on Object.prototype [2]. The attacker only needs to deliver the crafted URL to a user whose application uses the vulnerable library; no authentication or special network position is required.

Impact

Successful exploitation allows an attacker to inject arbitrary properties into Object.prototype, affecting all objects in the application. This can lead to unexpected behavior, property inheritance, and potentially further attacks such as denial of service or privilege escalation, depending on how the polluted properties are used by the application [1][2].

Mitigation

No official patched version of backbone-query-parameters has been released as of the publication date (2021-04-23) [1]. Application developers should sanitize or reject incoming query strings that contain prototype pollution patterns (e.g., __proto__, constructor.prototype) before they reach the vulnerable parsing function. The repository does not appear to be actively maintained; migrating to an alternative query string parser is recommended [2].