VYPR
← All advisories
High severityNVD Advisory· Published Jan 21, 2022· Updated Sep 16, 2024

Prototype Pollution

CVE-2021-23460

Description

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The min-dash package before 3.8.1 is vulnerable to Prototype Pollution via the set method, allowing attackers to manipulate object prototypes.

Vulnerability

The min-dash JavaScript library before version 3.8.1 is vulnerable to Prototype Pollution through its set method [1]. The method fails to enforce key types, allowing an attacker to inject properties such as __proto__ into the object's prototype chain. This affects all versions prior to 3.8.1 [2].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted object containing keys like __proto__, constructor, or prototype to the set method [3][4]. No authentication is required if the attacker can control input to the set method, which is typically possible in libraries that accept untrusted data. The attack simply involves passing such an object to the vulnerable function.

Impact

Successful exploitation leads to Prototype Pollution, where properties injected into Object.prototype are inherited by all JavaScript objects in the application [3][4]. This can result in denial of service through uncaught exceptions, or potentially remote code execution if the polluted properties affect security-sensitive code paths [2]. The impact depends on the application's usage of the library and the environment.

Mitigation

The vulnerability is fixed in min-dash version 3.8.1, released on January 21, 2022 [1]. Users should upgrade to this version or later. If upgrading is not possible, consider sanitizing inputs to the set method to reject prototype keys, though no official workaround is provided [2].

References
  1. fix(object#set): enforce key types by marstamm · Pull Request #21 · bpmn-io/min-dash
  2. NVD - CVE-2021-23460
  3. Snyk Vulnerability Database | Snyk
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
min-dashnpm
< 3.8.13.8.1
org.webjars.npm:min-dashMaven
< 3.8.13.8.1

Affected products

4

Patches

1
2c6689e2aa29

fix(object#set): enforce key types

https://github.com/bpmn-io/min-dashMartin StammJan 17, 2022via ghsa
commit
2 files changed · +29 0
  • lib/object.js+8 0 modified
    @@ -35,6 +35,14 @@ export function set(target, path, value) {
 
   forEach(path, function(key, idx) {
 
+    if (typeof key !== 'number' && typeof key !== 'string') {
+      throw new Error('illegal key type: ' + typeof key + '. Key should be of type number or string.');
+    }
+
+    if (key === 'constructor') {
+      throw new Error('illegal key: constructor');
+    }
+
     if (key === '__proto__') {
       throw new Error('illegal key: __proto__');
     }
  • test/object.spec.js+21 0 modified
    @@ -448,6 +448,27 @@ describe('object', function() {
       }).to.throw(/illegal key/);
     });
 
+
+    it('should not allow prototype polution via constructor', function() {
+      expect(function() {
+        set({}, ['constructor', 'prototype', 'polluted'], 'success');
+      }).to.throw(/illegal key/);
+    });
+
+
+    it('should not allow array as key', function() {
+      expect(function() {
+        set({}, [['__proto__'], 'polluted'], 'success');
+      }).to.throw(/illegal key type/);
+    });
+
+
+    it('should not allow object as key', function() {
+      expect(function() {
+        set({}, [{}, 'polluted'], 'success');
+      }).to.throw(/illegal key type/);
+    });
+
   });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.