CVE-2021-25913
Description
Prototype pollution in set-or-get (1.0.0–1.2.10) lets attackers cause denial of service and potentially remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in set-or-get (1.0.0–1.2.10) lets attackers cause denial of service and potentially remote code execution.
Vulnerability
Analysis
The set-or-get npm library is a simple utility for setting or getting nested object properties. Versions 1.0.0 through 1.2.10 are vulnerable to prototype pollution because the SetOrGet function (line 15-18 of the source) sets a property on the input object without any validation of the field parameter [2]. This allows an attacker to assign values to special JavaScript prototype properties such as __proto__, constructor, or prototype [2]. The fix, introduced in commit 82ede5c, adds a check that throws an error if the field matches these restricted magical attributes [2].
Exploitation
Prerequisites
Exploitation requires the attacker to be able to pass a crafted field string to the vulnerable function, typically through user-controllable input that is passed to set-or-get without sanitization. No authentication is required if the library is used in a publicly accessible context (e.g., a web application that processes JSON payloads). The attack vector is low-complexity and can be triggered remotely.
Impact
A successful prototype pollution attack can cause the application to behave unexpectedly, potentially leading to a denial of service (DoS). In more severe scenarios, depending on how the polluted prototype properties are used by the application or other libraries, the attacker may achieve remote code execution (RCE) [1]. The official NVD description confirms both DoS and possible RCE as impacts [1].
Mitigation
Users should upgrade set-or-get to version 1.2.11 or later, which contains the prototype pollution fix [2]. There is no known workaround other than updating. At the time of publication (2021-02-08), no exploits have been publicly disclosed, but the vulnerability is easily exploitable and should be addressed promptly. The fix was published on the same day as the CVE, so updated packages are available via npm [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
set-or-getnpm | >= 1.0.0, < 1.2.11 | 1.2.11 |
Affected products
2- set-or-get/set-or-getdescription
Patches
182ede5cccb2eSecurity fix for Prototype Pollution
1 file changed · +2 −0
lib/index.js+2 −0 modified@@ -13,6 +13,8 @@ var Deffy = require("deffy"); * @return {Object|Array} The field value. */ function SetOrGet(input, field, def) { + if (field == '__proto__' || field == 'constructor' || field == 'prototype') + throw new Error('Restricted setting magical attributes') return input[field] = Deffy(input[field], def); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6rv4-4qv6-88g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25913ghsaADVISORY
- github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936ghsax_refsource_MISCWEB
- www.npmjs.com/package/set-or-getghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.