CVE-2021-25953
Description
Prototype pollution vulnerability in putil-merge 1.0.0-3.6.6 allows DoS and potential RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution vulnerability in putil-merge 1.0.0-3.6.6 allows DoS and potential RCE.
Vulnerability
CVE-2021-25953 is a prototype pollution vulnerability in the putil-merge library, affecting versions 1.0.0 through 3.6.6 [1]. The flaw allows an attacker to inject properties into an object's prototype chain, leading to unexpected behavior.
Exploitation
An attacker can exploit this by providing crafted input that pollutes the prototype, potentially causing denial of service or, in some scenarios, remote code execution. The vulnerability is triggered when merging objects without proper sanitization [2].
Impact
Successful exploitation can result in denial of service due to application crashes or unexpected behavior. Under certain conditions, it may lead to remote code execution, allowing the attacker to execute arbitrary commands on the system.
Mitigation
The library maintainers have addressed this issue in versions after 3.6.6. Users are advised to update to the latest patched version to mitigate the risk [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
putil-mergenpm | >= 1.0.0, < 3.7.0 | 3.7.0 |
Affected products
2- putil-merge/putil-mergedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9x7m-9hpg-xxmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25953ghsaADVISORY
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25953ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.