CVE-2021-25916
Description
Prototype pollution in patchmerge npm package allows denial of service and potential remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in patchmerge npm package allows denial of service and potential remote code execution.
The 'patchmerge' npm package (versions 1.0.0 through 1.0.1) is vulnerable to prototype pollution [1]. The library merges JavaScript objects according to RFC 7396 but improperly handles special keys like __proto__, allowing an attacker to pollute Object.prototype with arbitrary properties [2]. This stems from a missing check that would prevent modification of the prototype chain during deep merge operations [3].
To exploit this vulnerability, an attacker supplies a crafted JSON patch object containing a __proto__ key with malicious payloads. If the application processes user-controlled patches (e.g., via HTTP PATCH endpoints or configuration files), the pollution can be triggered without authentication [4]. The attack does not require network proximity beyond typical web access.
Successful exploitation leads to prototype pollution, which can cause denial of service by corrupting object properties globally. More critically, it may enable remote code execution if polluted properties are used in security-sensitive contexts (e.g., property access in generators or sandbox escapes) [1][4]. The exact impact depends on the application logic.
The issue is fixed in commit 5b383c5 [3], but no patched release was published before the repository was archived [2]. Users are advised to either apply the patch manually or migrate to an alternative library. No known workarounds exist other than avoiding the processing of untrusted patches.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
patchmergenpm | >= 1.0.0, < 1.0.2 | 1.0.2 |
Affected products
2- patchmerge/patchmergedescription
Patches
15b383c537eaedon't inadvertantly modify Object.prototype
2 files changed · +16 −0
index.js+11 −0 modified@@ -102,6 +102,17 @@ const objectMerge = (original, patch, removeMode) => { } //merge objects else { + //Don't implicitly mutate Object.prototype but subsitute an empty object + if(original[name] === Object.prototype) { + delete original[name]; + + Object.defineProperty(original, name, { + enumerable: true, + writable: true, + value: {} + }); + } + original[name] = objectMerge(original[name], patch[name], removeMode); } }
test2.js+5 −0 added@@ -0,0 +1,5 @@ +patchMerge = require('./index.js'); +var obj = {} +console.log("Before : " + obj.isAdmin); +console.log(patchMerge(obj, JSON.parse('{ "__proto__": { "isAdmin": true }}'))); +console.log("After : " + obj.isAdmin);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-84g3-cv89-m9gmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25916ghsaADVISORY
- github.com/pjshumphreys/patchmerge/commit/5b383c537eae7a00ebd26d3f7211dac99ddecb12ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25916ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.