CVE-2021-40663

Vulnerability

Description The deep.assign npm package (version 0.0.0-alpha.0) is vulnerable to prototype pollution. This flaw arises from the improper handling of objects with __proto__ keys during the deep assignment process, allowing an attacker to modify the global Object.prototype [1][2].

Exploitation

An attacker can exploit this by crafting a JSON object containing a __proto__ property and passing it to the deepAssign function. The provided PoC demonstrates that after assignment, the prototype becomes polluted, as shown by accessing a newly introduced property on a plain object [3]. No authentication is required if the function is exposed to user input.

Impact

Successful exploitation can lead to information disclosure, denial of service, or remote code execution, depending on how the application uses the polluted prototype [3]. Properties injected into Object.prototype may affect all objects in the runtime.

Mitigation

As of the advisory, the package is at an early alpha stage and no patch is available. Users should avoid using this package or implement strict input validation to prevent __proto__ keys from being processed.