VYPR
← All advisories
High severityNVD Advisory· Published Feb 8, 2021· Updated Aug 3, 2024

Prototype Pollution in Dynamoose

CVE-2021-21304

Description

Dynamoose 2.0.0–2.6.0 contained a prototype pollution vulnerability in its internal set utility, fixed in version 2.7.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dynamoose 2.0.0–2.6.0 contained a prototype pollution vulnerability in its internal set utility, fixed in version 2.7.0.

Vulnerability

Analysis

CVE-2021-21304 describes a prototype pollution vulnerability in Dynamoose, an open-source modeling tool for Amazon DynamoDB. The flaw resides in the internal utility method lib/utils/object/set.ts, which is used throughout the codebase for operations such as setting values on objects. Prototype pollution occurs when an attacker can inject properties into the global Object.prototype, potentially leading to unexpected behavior like property injection or denial of service. This vulnerability affects Dynamoose versions 2.0.0 through 2.6.0, including beta and alpha releases of version 2.x. Versions 1.x.x are not impacted because the vulnerable method was introduced as part of the version 2 rewrite [1][2].

Exploitation and

Impact

To exploit this vulnerability, an attacker would need to pass crafted input that flows into the set utility. The exact attack surface depends on how Dynamoose is used in an application; for example, if user-controlled data is processed through Dynamoose’s object utilities, it could lead to prototype pollution. There is no public evidence that this vulnerability has been exploited in the wild [1][4]. The impact of successful exploitation could include tampering with application logic, bypassing security checks, or causing a denial of service, depending on the context of the application.

Mitigation and

Patching

The maintainers patched this vulnerability in Dynamoose version 2.7.0, which includes a fix in commit 324c62b. Users are strongly advised to upgrade to version 2.7.0 or later. No workarounds are available for versions prior to the patch [2][4]. The vulnerability was discovered through GitHub CodeQL code scanning [4].

References

While no additional CVE IDs are cited, related security advisory details can be found in the GitHub Security Advisory (GHSA-rrqm-p222-8ph2) referenced in [4].

References
  1. NVD - CVE-2021-21304
  2. Release v2.7.0 · dynamoose/dynamoose
  3. Prototype Pollution

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dynamoosenpm
>= 2.0.0, < 2.7.02.7.0

Affected products

2

Patches

1
324c62b47092

Merge pull request from GHSA-rrqm-p222-8ph2

https://github.com/dynamoose/dynamooseCharlie FishFeb 6, 2021via ghsa
commit
2 files changed · +12 1
  • lib/utils/object/set.ts+4 1 modified
    @@ -15,7 +15,10 @@ export = <T>(object: GeneralObject<T>, key: string, value: any): GeneralObject<T
 		objectRef = objectRef[part];
 	});
 
-	objectRef[keyParts[keyParts.length - 1]] = value;
+	const finalKey: string = keyParts[keyParts.length - 1];
+	if (finalKey !== "__proto__" && finalKey !== "constructor") {
+		objectRef[finalKey] = value;
+	}
 
 	return object;
 };
  • test/unit/utils/object/set.js+8 0 modified
    @@ -38,6 +38,14 @@ describe("utils.object.set", () => {
 		{
 			"input": [{"data": []}, "data.0", {"hello": "world"}],
 			"output": {"data": [{"hello": "world"}]}
+		},
+		{
+			"input": [{}, "__proto__", "Hello"],
+			"output": {}
+		},
+		{
+			"input": [{}, "constructor", "Hello"],
+			"output": {}
 		}
 	];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.