Critical severityNVD Advisory· Published May 14, 2021· Updated Apr 30, 2025

CVE-2021-25941

Description

Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in deep-override 1.0.0-1.0.1 allows DoS and potential RCE via crafted __proto__ keys.

Vulnerability

The deep-override npm package versions 1.0.0 through 1.0.1 contains a prototype pollution vulnerability in the override function. The function recursively merges objects without sanitizing keys such as __proto__, constructor, or prototype, allowing an attacker to pollute Object.prototype [1][2].

Exploitation

An attacker can exploit this by providing a crafted object containing __proto__ or constructor.prototype keys to any application that uses deep-override on untrusted input. No authentication is required if the input is user-controlled. The attacker simply supplies a JSON payload with malicious keys, and the override function will merge them into the prototype chain [1][3].

Impact

Successful exploitation leads to prototype pollution, which can cause denial of service by breaking object property lookups across the application. In some scenarios, it may enable remote code execution if the polluted properties affect subsequent code execution paths [1].

Mitigation

The vulnerability is fixed in commit [2] which adds a check to skip keys __proto__, constructor, and prototype. Users should update to a version that includes this fix (e.g., version 1.0.2 or later, if released). If no patched version is available, avoid passing untrusted objects to deep-override or sanitize input manually [2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
deep-overridenpm	>= 1.0.0, < 1.0.2	1.0.2

Affected products

deep-override/deep-overridedescription
deep-override/deep-overridellm-create
Range: 1.0.0 - 1.0.1
ghsa-coords
pkg:npm/deep-override
Range: >= 1.0.0, < 1.0.2

Patches

2aced17651fb

Security fix for Prototype Pollution

https://github.com/ASaiAnudeep/deep-overrideArjun ShibuDec 17, 2020via ghsa

commit

1 file changed · +3 −1

src/index.js+3 −1 modified

@@ -46,6 +46,8 @@ function override(...rawArgs) {
       });
     } else {
       Object.keys(obj).forEach(key => {
+        if (key == '__proto__' || key == 'constructor' || key == 'prototype')
+          return
         src = target[key];
         val = obj[key];
         if (val === target) {
@@ -69,4 +71,4 @@ function override(...rawArgs) {
   return target;
 }
 
-module.exports = override;
\ No newline at end of file
+module.exports = override;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v659-54cx-g4qrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-25941ghsaADVISORY
github.com/ASaiAnudeep/deep-override/commit/2aced17651fb684959a6e04b1465a8329b3d5268ghsax_refsource_MISCWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25941ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000