CVE-2021-20086

Vulnerability

Analysis

CVE-2021-20086 is a prototype pollution vulnerability found in jquery-bbq version 1.2.1. The $.deparam function, which parses URL query strings into JavaScript objects, does not properly restrict the modification of object prototype attributes. This allows an attacker to inject properties into Object.prototype by crafting a query string containing specially crafted keys, such as __proto__[polluted]=true. The vulnerable code is located in the jquery.ba-bbq.js file at lines 466-556 [1][2].

Exploitation

The vulnerability can be exploited without authentication by sending a malicious HTTP request to any application that uses jquery-bbq to parse query parameters. The attacker simply needs to craft a URL containing a query string that targets Object.prototype. For example, ?__proto__[test]=value would set Object.prototype.test to value. No special network position is required; the attack can be performed from any client that can make requests to the application [1].

Impact

Successful exploitation allows an attacker to inject arbitrary properties into the global Object.prototype. This can lead to a variety of security issues, including unexpected behavior in the application, denial of service, or in some cases, remote code execution if the polluted properties affect conditional checks or property accesses that lead to code execution. The impact depends on how the application uses object properties. Prototype pollution can be chained with other vulnerabilities to escalate privileges or bypass security controls [1][2].

Mitigation

The maintainer has not released a patched version of jquery-bbq. Users are advised to either avoid using the $.deparam function with untrusted input or migrate to a maintained alternative library for parsing query strings. As of the CVE publication date (2021-04-23), no official fix is available. The project appears to be archived or unmaintained [1][2].