CVE-2021-25943

Vulnerability

A prototype pollution vulnerability exists in the 101 JavaScript utility library, affecting versions 1.0.0 through 1.6.3 [1]. The flaw resides in the set function, which does not properly restrict modifications to the object prototype [3]. This allows an attacker to inject properties into Object.prototype via crafted input, leading to unexpected behavior in applications using the library [4].

Exploitation

An attacker can exploit this by providing a specially crafted object (e.g., with __proto__ or constructor.prototype keys) to the set function. No special network position or authentication is required; the vulnerability is triggered when user-controllable input is passed to the vulnerable function [4]. The attack can be performed remotely via any application that processes untrusted data using the affected 101 library.

Impact

Successful exploitation allows the attacker to pollute the global Object.prototype, potentially leading to denial of service by overriding critical properties, and may enable remote code execution if combined with other vulnerabilities [4]. The scope of compromise depends on how the library is used within the application.

Mitigation

As of the publication date, no patched version of 101 has been released. Users are advised to upgrade to a later version if available, or to avoid using the set function with untrusted input. The vendor has not yet disclosed a fixed version [4].