VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 3, 2021· Updated Sep 16, 2024

Prototype Pollution

CVE-2021-23807

Description

jsonpointer <5.0.0 type confusion when pointer components are arrays allows bypassing prototype pollution fix, enabling arbitrary property injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jsonpointer <5.0.0 type confusion when pointer components are arrays allows bypassing prototype pollution fix, enabling arbitrary property injection.

Vulnerability

The jsonpointer npm package before version 5.0.0 contains a type confusion vulnerability [1]. When the pointer components are provided as arrays, the previous prototype pollution fix can be bypassed. The function jsonpointer.set improperly handles array-typed pointers, allowing operations on __proto__ and constructor.prototype that were previously blocked for string pointers [4]. This affects all versions prior to 5.0.0 [1][4].

Exploitation

An attacker can call jsonpointer.set with an array pointer, such as [['__proto__'], 'boo'], to pollute the prototype chain without triggering the validation intended for string pointers [4]. The exploitation requires network access to an application that uses the library to set values based on user-controlled pointers, and the attacker may need write access to the pointer input [2]. No authentication is assumed if the pointer input is directly exposed [2].

Impact

Successful prototype pollution allows the attacker to inject arbitrary properties into Object.prototype, which are then inherited by all JavaScript objects [2]. This can lead to denial of service via exceptions, tampering with application logic, or remote code execution depending on how the polluted properties are used downstream [2][3]. The attacker effectively bypasses the original fix for prototype pollution in jsonpointer [1].

Mitigation

Upgrade to jsonpointer version 5.0.0 or later, which includes proper validation of array pointer components [1][4]. The fix was introduced in commit a0345f3 [4]. No workarounds are documented; the only reliable mitigation is updating the library. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2021-23807
  2. Snyk Vulnerability Database | Snyk
  3. Snyk Vulnerability Database | Snyk
  4. Merge pull request #51 from dellalibera/fix-prototype-pollution · janl/node-jsonpointer@a0345f3

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jsonpointernpm
< 5.0.05.0.0
org.webjars.npm:json-pointernpm
< 5.0.05.0.0

Affected products

23

Patches

1
a0345f3550cd

Merge pull request #51 from dellalibera/fix-prototype-pollution

https://github.com/janl/node-jsonpointerJan LehnardtOct 31, 2021via ghsa
commit
2 files changed · +31 3
  • jsonpointer.js+7 3 modified
    @@ -17,10 +17,9 @@ function setter (obj, pointer, value) {
   var part
   var hasNextPart
 
-  if (pointer[1] === 'constructor' && pointer[2] === 'prototype') return obj
-  if (pointer[1] === '__proto__') return obj
-
   for (var p = 1, len = pointer.length; p < len;) {
+    if (pointer[p] === 'constructor' || pointer[p] === 'prototype' || pointer[p] === '__proto__') return obj
+
     part = untilde(pointer[p++])
     hasNextPart = len > p
 
@@ -53,6 +52,11 @@ function compilePointer (pointer) {
     if (pointer[0] === '') return pointer
     throw new Error('Invalid JSON pointer.')
   } else if (Array.isArray(pointer)) {
+    for (const part of pointer) {
+      if (typeof part !== 'string' && typeof part !== 'number') {
+        throw new Error('Invalid JSON pointer. Must be of type string or number.')
+      }
+    }
     return pointer
   }
  • test.js+24 0 modified
    @@ -136,4 +136,28 @@ var c = {}
 jsonpointer.set({}, '/__proto__/boo', 'polluted')
 assert(!c.boo, 'should not boo')
 
+var d = {}
+jsonpointer.set({}, '/foo/__proto__/boo', 'polluted')
+assert(!d.boo, 'should not boo')
+
+jsonpointer.set({}, '/foo/__proto__/__proto__/boo', 'polluted')
+assert(!d.boo, 'should not boo')
+
+var e = {}
+jsonpointer.set({}, '/foo/constructor/prototype/boo', 'polluted')
+assert(!e.boo, 'should not boo')
+
+jsonpointer.set({}, '/foo/constructor/constructor/prototype/boo', 'polluted')
+assert(!e.boo, 'should not boo')
+
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [[['__proto__']], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [[['__proto__']], [['__proto__']], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['foo'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['foo'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['constructor'], ['prototype'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['constructor'], ['constructor'], ['prototype'], 'boo'], 'polluted')}, validateError)
+
 console.log('All tests pass.')

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.