VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 26, 2021· Updated Apr 30, 2025

CVE-2021-25927

CVE-2021-25927

Description

Prototype pollution in safe-flat 2.0.0-2.0.1 allows DoS or RCE via crafted object keys.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in safe-flat 2.0.0-2.0.1 allows DoS or RCE via crafted object keys.

Vulnerability

The safe-flat library versions 2.0.0 through 2.0.1 contain a prototype pollution vulnerability in the unflatten function. When processing objects, the function fails to block dangerous keys such as __proto__, constructor, and prototype, allowing an attacker to modify Object.prototype [2][3].

Exploitation

An attacker can exploit this by providing a crafted object to the unflatten function, e.g., via user-supplied data. The function will iterate over the keys and assign values along the prototype chain if a key like __proto__.polluted is present. No special privileges are required; only the ability to pass data to the vulnerable function [2].

Impact

Successful exploitation leads to prototype pollution, which can cause denial of service (e.g., unexpected application behavior) and may lead to remote code execution if the polluted properties are later used in dangerous operations [3].

Mitigation

The issue is fixed by the commit at [2], which adds a check for the __proto__, constructor, and prototype keys. Users should update to a version that includes this fix (e.g., version 2.0.2 or later). If an update is not possible, avoid passing untrusted objects to the unflatten function [2][3].

References
  1. fix(unflat): fix potential for prototype pollution · jessie-codes/safe-flat@4b9b7db
  2. 2021-25927 | Mend Vulnerability Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
safe-flatnpm
>= 2.0.0, < 2.0.22.0.2

Affected products

1

Patches

1
4b9b7db976bb

fix(unflat): fix potential for prototype pollution

https://github.com/jessie-codes/safe-flatJessie BarnettJan 24, 2021via ghsa
commit
2 files changed · +14 0
  • src/index.js+2 0 modified
    @@ -45,13 +45,15 @@ const flatten = (obj, delimiter) => {
 const unflatten = (obj, delimiter) => {
   const result = {}
   const seperator = delimiter || defaultDelimiter
+  const proto = ['__proto__', 'constructor', 'prototype']
 
   if (typeof obj !== 'object' || isDate(obj)) return obj
 
   const unflat = (original) => {
     Object.keys(original).forEach((key) => {
       const newKeys = key.split(seperator)
       newKeys.reduce((o, k, i) => {
+        if (proto.includes(newKeys[i])) return o
         return o[k] || (o[k] = isNaN(Number(newKeys[i + 1])) ? (newKeys.length - 1 === i ? original[key] : {}) : [])
       }, result)
     })
  • test/unflatten.spec.js+12 0 modified
    @@ -150,3 +150,15 @@ test('it should handle date objects', (t) => {
 
   t.deepEqual(unflatten(original), expected)
 })
+
+test('it should not pollute the prototype', (t) => {
+  const original = {
+    '__proto__.polluted': 'Attempt to pollute the prototype',
+    'a.prototype.polluted': 'Attempt to pollute the prototype',
+    'a.b': 'This attribute is safe',
+    'c.constructor.polluted': 'Attempt to pollute the prototype',
+    'constructor.polluted': 'Attempt to pollute the prototype'
+  }
+  unflatten(original)
+  t.assert({}.polluted == null)
+})

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.