VYPR
← All advisories
High severityNVD Advisory· Published Oct 20, 2021· Updated Sep 16, 2024

Prototype Pollution

CVE-2021-23452

Description

All versions of x-assign are vulnerable to prototype pollution via __proto__, impacting JavaScript applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

All versions of x-assign are vulnerable to prototype pollution via __proto__, impacting JavaScript applications.

Vulnerability

The package x-assign (all versions) is vulnerable to prototype pollution. The assign function recursively merges objects without sanitizing the __proto__ property, allowing an attacker to pollute the global Object.prototype [1][2].

Exploitation

An attacker can pass a crafted object with a __proto__ key to the assign function. Because the merge recursively copies properties without checking for __proto__, the attacker's properties are injected into the prototype chain. No authentication is required if the attacker controls the input source [2].

Impact

Successful exploitation leads to prototype pollution, which can cause denial of service (throwing exceptions) or, in some contexts, remote code execution by manipulating application behavior [2].

Mitigation

No fix has been released for x-assign. Users should avoid using the package or switch to an alternative that sanitizes __proto__. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2021-23452
  2. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
x-assignnpm
<= 0.1.4

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.