CVE-2021-25946
Description
Prototype pollution in nconf-toml 0.0.1-0.0.2 allows DoS and potential RCE via malicious TOML files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in nconf-toml 0.0.1-0.0.2 allows DoS and potential RCE via malicious TOML files.
Vulnerability
Prototype pollution vulnerability exists in nconf-toml versions 0.0.1 through 0.0.2 [1]. The plugin parses TOML files and merges the resulting object into the nconf configuration store without sanitizing keys. The vulnerable code is in index.js at line 8 [2], where properties are assigned directly from the parsed TOML object.
Exploitation
An attacker can craft a TOML file containing __proto__ or constructor.prototype keys. If an application using nconf-toml loads such a file (e.g., via nconf.file()), the malicious keys pollute the global Object.prototype. No authentication is required if the attacker can supply the file path or content.
Impact
Successful exploitation leads to denial of service (DoS) due to unexpected behavior from polluted prototypes, and may enable remote code execution (RCE) by overwriting properties used in subsequent code execution [1][4].
Mitigation
No official patch has been released for nconf-toml versions 0.0.1-0.0.2. Users should avoid processing untrusted TOML files with this library. Consider switching to alternative TOML parsers that are not vulnerable to prototype pollution. The repository [3] appears unmaintained.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nconf-tomlnpm | >= 0.0.1, <= 0.0.2 | — |
Affected products
2- nconf-toml/nconf-tomldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hx7j-43w2-7rj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25946ghsaADVISORY
- github.com/RobLoach/nconf-toml/blob/8ade08cd1cfb9691ab7cc5c3514cc05c5085918f/index.jsghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25946ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.