CVE-2021-25944
Description
Prototype pollution in deep-defaults npm package versions 1.0.0-1.0.5 allows DoS and potential RCE via __proto__ injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in deep-defaults npm package versions 1.0.0-1.0.5 allows DoS and potential RCE via __proto__ injection.
Vulnerability
The NPM package deep-defaults versions 1.0.0 through 1.0.5 contains a prototype pollution vulnerability in the _deepDefaults() function. The function fails to validate the type of the source object before assigning properties, allowing an attacker to pollute the prototype chain via the __proto__ property [1][4].
Exploitation
An attacker can exploit this by providing a crafted object with a __proto__ property to the deepDefaults() function. No authentication is required if the function processes user-supplied input. The attacker simply passes a malicious object, e.g., {"__proto__": {"polluted": true}}, which results in prototype pollution [1].
Impact
Successful exploitation leads to denial of service (e.g., unexpected behavior) and can potentially enable remote code execution if the attacker can influence subsequent operations that rely on object properties [1][3]. The pollution affects all objects inheriting from the polluted prototype, escalating the attack's scope.
Mitigation
No official fix has been released; the repository is not actively maintained [2]. Users should avoid using deep-defaults or migrate to an alternative package that handles object merging safely. Monitor for any updates or patches in the future.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
deep-defaultsnpm | >= 1.0.0, <= 1.0.5 | — |
Affected products
2- deep-defaults/deep-defaultsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-h6xg-rg33-9mf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25944ghsaADVISORY
- github.com/d5/deep-defaults/blob/321d0e2231aa807d54e7f95d75c22048a806923f/lib/index.jsghsaWEB
- web.archive.org/web/20210525211925/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25944ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25944mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.