Critical severityNVD Advisory· Published Jun 3, 2021· Updated Aug 3, 2024

CVE-2021-25947

Description

Prototype pollution in nestie npm package up to 1.0.0 allows DoS and possible RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in nestie npm package up to 1.0.0 allows DoS and possible RCE.

Vulnerability

The nestie npm package (versions 0.0.0 through 1.0.0) is vulnerable to prototype pollution. The nestie function, which deeply assigns object properties, does not sanitize keys like __proto__, constructor.prototype, or similar. An attacker can inject arbitrary properties into the global Object.prototype, leading to denial of service and potentially remote code execution. [1][2][3]

Exploitation

An attacker can craft a malicious input object containing keys such as __proto__ or constructor.prototype with arbitrary values. When processed by nestie, these keys pollute the prototype of base objects. The attack does not require authentication but relies on a user or application processing untrusted input through the vulnerable function. [2]

Impact

Successful exploitation allows an attacker to pollute Object.prototype, affecting all objects in the application. This can cause unexpected behavior, denial of service, or, under certain conditions, remote code execution if the polluted properties are used in security-sensitive operations. [1][3]

Mitigation

The vulnerability is fixed in version 1.0.1 of nestie. Users should upgrade to the patched version. No workaround is available in versions <=1.0.0. [2][3]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nestienpm	< 1.0.1	1.0.1

Affected products

nestie/nestiedescription
ghsa-coords
pkg:npm/nestie
Range: < 1.0.1

Patches

bc80d5898d1e

fix: prevent prototype pollution

https://github.com/lukeed/nestieLuke EdwardsMay 29, 2021via ghsa

commit

2 files changed · +47 −0

src/index.js+5 −0 modified

@@ -14,11 +14,16 @@ export function nestie(input, glue) {
 
 		for (i=0; i < arr.length;) {
 			key = arr[i++];
+
 			if (tmp == null) {
 				tmp = empty(''+key);
 				output = output || tmp;
 			}
 
+			if (key == '__proto__') {
+				break;
+			}
+
 			if (i < arr.length) {
 				if (key in tmp) {
 					tmp = tmp[key];

test/index.js+42 −0 modified

@@ -428,4 +428,46 @@ test('array :: kitchen', () => {
 	]);
 });
 
+test('proto pollution :: toplevel', () => {
+	let output = nestie({
+		'__proto__.foobar': 123
+	});
+
+	let tmp = {};
+	assert.equal(output, {});
+	assert.is(tmp.foobar, undefined);
+});
+
+test('proto pollution :: midlevel', () => {
+	let output = nestie({
+		'aaa.__proto__.foobar': 123
+	});
+
+	let tmp = {};
+	assert.equal(output, { aaa: {} });
+	assert.is(tmp.foobar, undefined);
+});
+
+test('proto pollution :: sibling', () => {
+	let output = nestie({
+		'aaa.bbb': 'abc',
+		'__proto__.foobar': 123,
+		'aaa.xxx': 'xxx',
+		'foo.bar': 456,
+	});
+
+	assert.equal(output, {
+		aaa: {
+			bbb: 'abc',
+			xxx: 'xxx',
+		},
+		foo: {
+			bar: 456
+		}
+	});
+
+	let tmp = {};
+	assert.is(tmp.foobar, undefined);
+});
+
 test.run();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m7rg-8wvq-846vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-25947ghsaADVISORY
github.com/lukeed/nestie/commit/bc80d5898d1e5e8a3d325d355eda0c325c8dcfc2ghsaWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25947ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000