CVE-2021-25949
Description
Prototype pollution in set-getter 0.1.0 allows denial of service and potentially remote code execution via malicious prop input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in set-getter 0.1.0 allows denial of service and potentially remote code execution via malicious prop input.
Vulnerability
The set-getter package version 0.1.0 contains a prototype pollution vulnerability in the setGetter() function defined in index.js [2][3]. The function accepts obj, prop, and getter as arguments and uses Object.defineProperty to assign a getter to the property without validating the type or content of the prop argument [1][4]. If an attacker supplies a string such as __proto__ or other prototype-altering paths, the property is assigned directly to the object's prototype chain [1]. This flaw occurs because there is no check to prevent the prop value from referencing the prototype [1][2].
Exploitation
An attacker does not require authentication or a privileged network position if the vulnerable package is used in an application that processes untrusted user input as property paths [1]. The attacker crafts a prop value containing __proto__ (or similar prototype keys) and passes it to setGetter(). When the function assigns the getter to the object, it pollutes the prototype of the base object [1]. No user interaction beyond sending the malicious payload is needed [1].
Impact
Successful prototype pollution can cause a denial of service by overwriting properties inherited by all objects, leading to erratic behavior or crashes [1]. The advisory states that this vulnerability may lead to remote code execution (RCE) under certain conditions, as polluted prototypes can affect how objects are used throughout an application [1]. The exact impact depends on how the polluted prototype is leveraged in the context of the calling application [1].
Mitigation
The set-getter package repository does not indicate a fixed version was released after 0.1.0 [4]. The available references suggest no patch exists; users should avoid using the package with untrusted input for the prop argument [1][2]. As of the publication date (June 10, 2021), no fix was available [1][2]. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
set-getternpm | < 0.1.1 | 0.1.1 |
Affected products
2- set-getter/set-getterdescription
Patches
166eb3f0d4686filter out invalid keys
2 files changed · +12 −6
index.js+8 −2 modified@@ -9,6 +9,10 @@ var toPath = require('to-object-path'); +function isValidKey(key) { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +} + /** * Defines a getter function on an object using property path notation. * @@ -40,11 +44,13 @@ function setGetter(obj, prop, getter) { function define(obj, prop, getter) { if (!~prop.indexOf('.')) { - defineProperty(obj, prop, getter); + if (isValidKey(prop)) { + defineProperty(obj, prop, getter); + } return obj; } - var keys = prop.split('.'); + var keys = prop.split('.').filter(isValidKey); var last = keys.pop(); var target = obj; var key;
test.js+4 −4 modified@@ -106,10 +106,10 @@ describe('set-getter', function() { }); assert(!('polluted' in {})); - assert(!('polluted' in obj)); + assert('polluted' in obj); assert({}.polluted !== true); - assert(obj.polluted !== true); + assert(obj.polluted === true); }); it('should not pollute the prototype when using array notation', function() { @@ -123,9 +123,9 @@ describe('set-getter', function() { }); assert(!('polluted' in {})); - assert(!('polluted' in obj)); + assert('polluted' in obj); assert({}.polluted !== true); - assert(obj.polluted !== true); + assert(obj.polluted === true); }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jv35-xqg7-f92rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25949ghsaADVISORY
- github.com/doowb/set-getter/blob/5bc2750fe1c3db9651d936131be187744111378d/index.jsghsax_refsource_MISCWEB
- github.com/doowb/set-getter/commit/66eb3f0d4686a4a8c7c3d6f7ecd8e570b580edc4ghsaWEB
- web.archive.org/web/20210615022308/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25949ghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25949mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.