CVE-2021-25915
Description
Prototype pollution in 'changeset' (0.0.1-0.2.5) via the apply() function permits DoS and potential RCE due to missing validation on object property assignment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in 'changeset' (0.0.1-0.2.5) via the apply() function permits DoS and potential RCE due to missing validation on object property assignment.
Vulnerability
Overview
The NPM package changeset (versions 0.0.1 through 0.2.5) is affected by a prototype pollution vulnerability. The apply() function, which accepts changes, target, and modify arguments, does not validate the type of object before assigning a value to a property. An attacker can inject a malicious changeset containing __proto__ as a key, leading to pollution of the Object prototype [1][2].
Attack
Vector
To exploit, an attacker must supply a crafted changes argument that includes a __proto__ property path. For example, a patch like [{type: 'put', key: ['__proto__','polluted'], value: 'Yes! Its Polluted'}] will directly assign a value to Object.prototype.polluted. No prior authentication is required; the vulnerability can be triggered if an application passes untrusted user input to changeset.apply(). The attack surface is broad because the library is often used for syncing object differences with databases like LevelDB [2][3].
Impact
A successful prototype pollution attack can enable denial of service (DoS) by altering unexpected properties across all objects in the runtime. Under certain conditions—such as when subsequent code checks for the polluted property (e.g., if({}.polluted))—the attacker may achieve remote code execution (RCE) by manipulating property values that control application logic [1][2].
Mitigation
The issue was fixed in version 0.2.6. The commit [4] adds checks via hasOwnProperty() and explicitly excludes the __proto__ key during assignment and deletion operations. Users should upgrade to 0.2.6 or later to prevent prototype pollution [4].
- NVD - CVE-2021-25915
- WhiteSource Vulnerability Database
- GitHub - eugeneware/changeset: Library to diff JSON objects into atomic put and delete operations, and apply change sets to objects. Useful with Levelup/LevelDB object synchronization.
- Fix against prototype pollution · eugeneware/changeset@9e58884
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changesetnpm | >= 0.0.1, < 0.2.5 | 0.2.5 |
Affected products
2- changeset/changesetdescription
Patches
19e588844edbbFix against prototype pollution
2 files changed · +12 −3
index.js+3 −3 modified@@ -75,9 +75,9 @@ function apply(changes, target, modify) { ptr[prop] = {}; } - if (i < len - 1) { + if (i < len - 1 && ptr.hasOwnProperty(prop)) { ptr = ptr[prop]; - } else { + } else if (prop !== '__proto__') { ptr[prop] = ch.value; } }); @@ -101,7 +101,7 @@ function apply(changes, target, modify) { } else { if (Array.isArray(ptr)) { ptr.splice(parseInt(prop, 10), 1); - } else { + } else if (ptr.hasOwnProperty(prop)) { delete ptr[prop]; } }
test/index.js+9 −0 modified@@ -243,4 +243,13 @@ describe('changeset', function () { ]); done(); }); + + it('should not allow prototype pollution', function(done) { + var changeset = [ + { type: 'put', key: ['__proto__','polluted'], value: 'Yes! Its Polluted'} + ]; + diff.apply(changeset, {}, true); + expect({}.polluted).to.not.equal('Yes! Its Polluted'); + done(); + }) });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2gqw-q9r9-7f79ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25915ghsaADVISORY
- github.com/eugeneware/changeset/commit/9e588844edbb9993b32e7366cc799262b4447f99ghsax_refsource_MISCWEB
- web.archive.org/web/20210323102946/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25915ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25915mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.