CVE-2021-25928
Description
Prototype pollution in safe-obj npm package versions 1.0.0 to 1.0.2 allows denial of service and potential remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in safe-obj npm package versions 1.0.0 to 1.0.2 allows denial of service and potential remote code execution.
Vulnerability
Prototype pollution vulnerability in the safe-obj npm package (versions 1.0.0 through 1.0.2) allows an attacker to pollute the Object prototype via crafted input. The vulnerable code path is in lib/index.js (line 122) [2].
Exploitation
An attacker can provide a specially crafted object that sets arbitrary properties on the global Object prototype, leading to property injection. This can be achieved without authentication if the target application processes user-supplied data using the vulnerable safe-obj methods [1].
Impact
Successful exploitation causes denial of service (DoS) due to unexpected property inflation, and may lead to remote code execution (RCE) depending on how the polluted properties are used in the application [1][3].
Mitigation
As of the publication date (2021-04-26), no patched version has been released. Users should review their usage of safe-obj and consider replacing it with an alternative library. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
safe-objnpm | >= 1.0.0, <= 1.0.2 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wpgh-hmv4-r3v5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25928ghsaADVISORY
- github.com/mantacode/safe-obj/blob/6ab63529182b6cf11704ac84f10800290afd3f9f/lib/index.jsghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25928ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.