CVE-2021-20088

Vulnerability

CVE-2021-20088 is a prototype pollution vulnerability in the mootools-more JavaScript library version 1.6.0 and possibly earlier. The flaw resides in the String.parseQueryString method defined in Source/Types/String.QueryString.js [1][2][3]. The method recursively assigns parsed key-value pairs into an object without sanitizing keys that can modify Object.prototype. Specifically, when a query string contains keys such as __proto__[test] or constructor[prototype][test], the vulnerable code at lines 46+ will traverse into the object prototype chain and inject properties into Object.prototype [3]. The vulnerability is reachable whenever an application calls String.parseQueryString on user-controlled input (e.g., from location.search or any untrusted string) without prior sanitization.

Exploitation

An attacker requires no authentication and only needs to deliver a specially crafted query string to an application that uses the vulnerable parseQueryString method. The exploitation steps involve: (1) crafting a URL or input string containing payloads such as ?__proto__[test]=test or ?constructor[prototype][test]=test; (2) passing that string to String.parseQueryString() (e.g., via String.parseQueryString(location.search.slice(1))); (3) the method then iterates over the keys and, due to the lack of prototype-key filtering, sets properties on Object.prototype, effectively polluting all JavaScript objects in the page context [3]. No user interaction beyond loading the affected page is required.

Impact

Successful exploitation leads to arbitrary property injection into Object.prototype. This can alter the behavior of all objects in the runtime, potentially enabling further attacks such as property injection, denial of service, or privilege escalation depending on the application logic that relies on object property existence or defaults. The impact is considered high because it can compromise client-side security assumptions and facilitate cross-site scripting or data corruption in applications using the library.

Mitigation

As of the available references, no official patched version of mootools-more has been released [1][2][3]. Users are advised to avoid using the String.parseQueryString method with untrusted input, or to apply input sanitization that rejects prototype-related keys (e.g., __proto__, constructor, prototype). If the library is no longer maintained, consider migrating to an alternative query-string parsing library that is not vulnerable to prototype pollution. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.