VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 7, 2021· Updated Aug 3, 2024

CVE-2021-25952

CVE-2021-25952

Description

Prototype pollution in just-safe-set v1.0.0–2.2.1 allows attackers to cause denial of service or possibly remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in just-safe-set v1.0.0–2.2.1 allows attackers to cause denial of service or possibly remote code execution.

Vulnerability

The just-safe-set library versions 1.0.0 through 2.2.1 contain a prototype pollution vulnerability. The set() function does not validate property names, allowing an attacker to set properties on Object.prototype via special keys like __proto__, constructor, or prototype. This affects all users of the vulnerable versions of the library.

Exploitation

An attacker can exploit this by providing a crafted object path that includes __proto__, constructor, or prototype as a property key. For example, calling set(obj, '__proto__.x', someValue) would pollute the global Object.prototype. No special network position or authentication is required; the attacker only needs to control the property path and value arguments passed to the set() function.

Impact

Successful exploitation leads to prototype pollution, which can cause unexpected behavior such as denial of service by overriding critical object properties. In some environments, this can also lead to remote code execution if the polluted property influences subsequent code that dynamically accesses or executes properties.

Mitigation

The fix was implemented in commit dd57a476f4bb9d78c6f60741898dc04c71d2eb53 [3] and released in version 2.2.2. Users should upgrade to version 2.2.2 or later. The fix adds a prototypeCheck function that throws an error if the property name is __proto__, constructor, or prototype [4]. No workaround exists for versions below 2.2.2.

References
  1. NVD - CVE-2021-25952
  2. add proto check (#267) · angus-c/just@dd57a47

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
just-safe-setnpm
>= 1.0.0, < 2.2.22.2.2

Affected products

1

Patches

1
dd57a476f4bb

add proto check (#267)

https://github.com/angus-c/justangus crollMay 8, 2021via ghsa
commit
3 files changed · +30 1
  • packages/object-safe-set/index.js+8 0 modified
    @@ -34,8 +34,10 @@ function set(obj, props, value) {
   if (!lastProp) {
     return false;
   }
+  prototypeCheck(lastProp);
   var thisProp;
   while ((thisProp = props.shift())) {
+    prototypeCheck(thisProp);
     if (typeof obj[thisProp] == 'undefined') {
       obj[thisProp] = {};
     }
@@ -47,3 +49,9 @@ function set(obj, props, value) {
   obj[lastProp] = value;
   return true;
 }
+
+function prototypeCheck(prop) {
+  if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
+    throw new Error('setting of prototype values not supported');
+  }
+}
  • packages/object-safe-set/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "just-safe-set",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "description": "set value at property, create intermediate properties if necessary",
   "main": "index.js",
   "types": "index.d.ts",
  • test/object-safe-set/index.js+21 0 modified
    @@ -66,6 +66,27 @@ test("doesn't interrupt property chain, using array arg", function(t) {
   t.end();
 });
 
+test("doesn't support setting of prototype (and related) values", function(t) {
+  t.plan(4);
+  t.throws(function() {
+    var obj1 = {a: {}};
+    set(obj1, '__proto__.x', function malice() {});
+  });
+  t.throws(function() {
+    var obj1 = {a: {}};
+    set(obj1, ['a', 'b', '__proto__'], {toString: 'hehehe'});
+  });
+  t.throws(function() {
+    var obj2 = {a: {}};
+    set(obj2, 'constructor', function FakeConstructor() {});
+  });
+  t.throws(function() {
+    var obj3 = {a: {}};
+    set(obj3, 'prototype.y', 'hahahaha');
+  });
+  t.end();
+});
+
 /* eslint-disable no-undef*/
 if (typeof Symbol === 'function') {
   test('supports symbol prop', function(t) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.