CVE-2021-20087

Vulnerability

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') exists in jquery-deparam version 0.5.1. The deparam function splits query parameters on & and =, then recursively assigns values to nested keys. When a key such as __proto__[polluted] is processed, the function sets properties directly on Object.prototype without proper validation [1][2]. All uses of the library that parse untrusted query strings are affected.

Exploitation

An attacker needs only to supply a crafted URL query string to an application that calls jQuery.deparam() with attacker-controlled input. No authentication or special network position is required beyond the ability to deliver a link or otherwise inject the param string. The attack exploits the library's naive property assignment logic: keys like a[__proto__][polluted] cause the value to be set on the prototype chain [2].

Impact

Successful exploitation allows the attacker to pollute Object.prototype with arbitrary properties. This can alter the runtime behavior of all objects in the application, potentially leading to privilege escalation, security control bypass, or denial of service. The prototype pollution can be leveraged for further attacks (e.g., XSS or property injection affecting subsequent code) depending on how the polluted prototype is used by the application [1][2].

Mitigation

No official patch for jquery-deparam 0.5.1 has been released as of the last available references. Users should consider replacing jquery-deparam with a maintained alternative that properly sanitizes __proto__, constructor, and prototype keys, or implement input validation to reject such keys before passing to the function. The library is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1][2][3].