VYPR
← All advisories
High severityNVD Advisory· Published Feb 4, 2022· Updated Sep 16, 2024

Prototype Pollution

CVE-2021-23470

Description

Prototype Pollution in putil-merge before 3.8.0 via malicious constructor property, enabling denial of service or remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in putil-merge before 3.8.0 via malicious constructor property, enabling denial of service or remote code execution.

Vulnerability

The merge() function in the putil-merge npm package prior to version 3.8.0 does not properly validate property keys during recursive merge operations. An attacker can supply a malicious object that includes the constructor property to achieve Prototype Pollution. This vulnerability is an incomplete fix of a previous issue (see [1][3]): earlier versions only blocked the __proto__ key but did not filter the constructor key, allowing pollution of Object.prototype via constructor.prototype. Affected versions: all before 3.8.0.

Exploitation

An attacker with the ability to control the source argument passed to merge() — for example, by providing crafted JSON input that is later merged into an object — can trigger the vulnerability. By setting "constructor": {"prototype": {"polluted": "yes"}} in the source object, the recursive merge traverses into constructor.prototype, adding properties to Object.prototype. No authentication or special privileges are required; the attack depends on the application merging untrusted data [2][4].

Impact

Successful exploitation results in Prototype Pollution, which can lead to denial of service (through JavaScript exceptions) or, depending on application logic, remote code execution if the polluted property alters the behavior of subsequently executed code. The attacker can inject arbitrary properties into the global Object.prototype, potentially affecting all objects in the application and enabling further attacks such as property injection or default value overwriting [3].

Mitigation

Upgrade to putil-merge version 3.8.0 or later, which includes a fix that also blocks the constructor key during merge (commit 476d000) [4]. No workaround is available if the package cannot be updated; developers should avoid merging untrusted objects. As of publication, there is no known listing in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2021-23470
  2. GitHub - panates/putil-merge: Lightweight solution for merging multiple objects into one. Also it supports deep merge
  3. Snyk Vulnerability Database | Snyk
  4. Fixed Prototype Pollution vulnerability (constructor). Thanks to Gill… · panates/putil-merge@476d000

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
putil-mergenpm
< 3.8.03.8.0

Affected products

2

Patches

1
476d00078dfb

Fixed Prototype Pollution vulnerability (constructor). Thanks to Gill from Snyk Security

https://github.com/panates/putil-mergeEray HanoğluFeb 2, 2022via ghsa
commit
3 files changed · +11 4
  • lib/merge.js+1 1 modified
    @@ -33,7 +33,7 @@ function merge(target, source, options = {}) {
   const keys = Object.getOwnPropertyNames(source);
   keys.push(...Object.getOwnPropertySymbols(source));
   for (const key of keys) {
-    if (key === '__proto__')
+    if (key === '__proto__' || key === 'constructor')
       continue;
     if (options.filter && !options.filter(source, key))
       continue;
  • package.json+2 2 modified
    @@ -19,9 +19,9 @@
     "object"
   ],
   "devDependencies": {
-    "eslint": "^7.19.0",
+    "eslint": "^8.8.0",
     "eslint-config-google": "^0.14.0",
-    "mocha": "^9.0.2",
+    "mocha": "^9.2.0",
     "nyc": "^15.1.0"
   },
   "engines": {
  • test/merge.js+8 1 modified
    @@ -237,11 +237,18 @@ describe('merge', function() {
     );
   });
 
-  it('should prevent Prototype Pollution vulnerability', function() {
+  it('should prevent Prototype Pollution vulnerability (__proto__)', function() {
     const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}');
     const obj = {};
     merge(obj, payload, {deep: true});
     assert.strictEqual(obj.polluted, undefined);
   });
 
+  it('should prevent Prototype Pollution vulnerability (constructor)', function() {
+    const payload = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}}');
+    let obj = {};
+    merge(obj, payload, {deep: true});
+    assert.strictEqual(obj.polluted, undefined);
+  });
+
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.