CVE-2021-25948

Vulnerability

The expand-hash library (versions 0.1.0 through 1.0.1) recursively expands object keys with dot-notation into nested objects [3]. A prototype pollution vulnerability exists in the index.js file at line 19 [2]. When user-controlled input is passed to the expand() function, an attacker can inject properties like __proto__ or constructor.prototype to pollute the Object prototype [1][4].

Exploitation

An attacker can exploit this by providing a crafted object with malicious prototype keys to any application that uses expand-hash on untrusted data. No authentication or special privileges are required; the attacker only needs to supply input that is processed by the vulnerable function. The pollution occurs during the recursive expansion of dot-notation keys [2].

Impact

Successful prototype pollution can lead to denial of service (DoS) by overriding critical properties, and may enable remote code execution (RCE) if the polluted prototype affects subsequent code paths [1][4]. The exact impact depends on how the application uses the polluted object.

Mitigation

As of the publication date (2021-06-10), no patched version of expand-hash has been released. Users should avoid passing untrusted input to the expand() function, or consider using an alternative library that does not suffer from prototype pollution. The repository does not indicate a fix [3][4].