chbrown rfc6902 pointer.ts prototype pollution
Description
A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability exists in chbrown/rfc6902's pointer.ts, allowing attackers to pollute Object.prototype via crafted JSON patches.
Vulnerability
Description CVE-2021-4245 is a prototype pollution vulnerability identified in the chbrown/rfc6902 library, which implements RFC 6902 JSON Patch and RFC 6901 JSON Pointer in TypeScript [1]. The flaw resides in the pointer.ts file, where improper handling of specially crafted pointer paths can lead to modification of Object.prototype attributes [2]. This vulnerability is classified as problematic, with a patch reference c006ce9faa43d31edb34924f1df7b79c137096cf [3].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious JSON Patch operation that uses a crafted pointer path to manipulate the prototype of the base object. The exploit does not require authentication and can be triggered remotely if an application processes untrusted patch input [2]. The manipulation leads to prototype pollution, a technique where properties are injected into Object.prototype, affecting all objects inheriting from it.
Impact
Successful exploitation allows an attacker to inject arbitrary properties into the global Object prototype, potentially leading to property injection attacks or denial of service. In applications that use the library to apply patches to user-controllable objects, this could result in unexpected behavior, security bypasses, or further code execution depending on the application context [4]. The vulnerability has been disclosed publicly, increasing the risk of exploitation.
Mitigation
The recommended action is to apply the commit c006ce9faa43d31edb34924f1df7b79c137096cf from the upstream repository [3]. Users should update the rfc6902 library to a patched version. No workarounds have been officially documented; the safest mitigation is to upgrade the dependency [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rfc6902npm | < 5.0.0 | 5.0.0 |
Affected products
3Patches
1c006ce9faa43Fix prototype pollution vulnerability
1 file changed · +3 −0
pointer.ts+3 −0 modified@@ -69,6 +69,9 @@ export class Pointer { for (let i = 1, l = this.tokens.length; i < l; i++) { parent = value key = this.tokens[i] + if (key == '__proto__' || key == 'constructor' || key == 'prototype') { + continue + } // not sure if this the best way to handle non-existant paths... value = (parent || {})[key] }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.