High severityNVD Advisory· Published Dec 25, 2022· Updated Aug 3, 2024

Starcounter-Jack JSON-Patch prototype pollution

CVE-2021-4279

Description

Prototype pollution vulnerability in Starcounter-Jack JSON-Patch before 3.1.1 allows remote attackers to modify object prototype attributes, potentially leading to code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution vulnerability in Starcounter-Jack JSON-Patch before 3.1.1 allows remote attackers to modify object prototype attributes, potentially leading to code execution.

Vulnerability

Overview

CVE-2021-4279 is a prototype pollution vulnerability in the Starcounter-Jack JSON-Patch library (also known as fast-json-patch) up to version 3.1.0. The library implements RFC 6902 JSON Patch, allowing users to apply partial updates to JSON documents [1]. The issue stems from the applyOperation function not properly blocking modifications to __proto__ or constructor/prototype paths when the banPrototypeModifications flag is enabled. Prior to the fix, only __proto__ was blocked, but constructor/prototype (which similarly pollutes the object prototype) was not checked [4]. According to the official description, the attack can be initiated remotely and exploits of this vulnerability have been publicly disclosed [3].

Exploitation

Details

The vulnerability can be triggered by crafting a JSON Patch operation that targets the constructor/prototype property of an object. For example, an attacker can send a patch operation like {"op": "replace", "path": "/constructor/prototype/foo", "value": "bar"} to set a property on the object's prototype. This bypasses the existing __proto__ check. In a real-world scenario, a web application that applies user-supplied JSON Patch data to server-side objects (such as the one described in a Pwn2Win CTF write-up) is vulnerable [2]. The attack requires the attacker to be able to supply patch operations, but no prior authentication is strictly required if the endpoint is exposed. The library version 3.1.0 and earlier are affected; the patch in version 3.1.1 adds an additional check for key == 'prototype' && t > 0 && keys[t - 1] == 'constructor' [4].

Impact

Successful prototype pollution allows an attacker to inject properties into the base Object prototype, affecting all objects in the application. Depending on how the polluted property is used, this can lead to severe consequences. For instance, as demonstrated in the referenced CTF challenge, prototype pollution can be chained with template engines like EJS to achieve remote code execution (RCE) [2]. An attacker could manipulate application logic, bypass security controls, or execute arbitrary commands on the server. The CVSS score is not yet provided by NVD, but the vulnerability is classified as problematic [3].

Mitigation

Users should upgrade to version 3.1.1 or later of the JSON-Patch library. The fix is included in commit 7ad6af41eabb2d799f698740a91284d762c955c9 [4]. No workarounds are officially recommended; upgrading is the safest course. The vulnerability is tracked as VDB-216778 [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fast-json-patchnpm	< 3.1.1	3.1.1

Affected products

ghsa-coords
pkg:npm/fast-json-patch
Range: < 3.1.1
Starcounter-Jack/JSON-Patchcpe-rescue
Range: 3.0

Patches

7ad6af41eabb

Merge pull request #262 from 418sec/1-npm-fast-json-patch

https://github.com/Starcounter-Jack/JSON-PatchJoachim WesterAug 13, 2021via ghsa

commit

3 files changed · +13 −6

commonjs/core.js+4 −2 modified

@@ -188,8 +188,10 @@ function applyOperation(document, operation, validateOperation, mutateDocument,
             if (key && key.indexOf('~') != -1) {
                 key = helpers_js_1.unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {

module/core.mjs+4 −2 modified

@@ -186,8 +186,10 @@ export function applyOperation(document, operation, validateOperation, mutateDoc
             if (key && key.indexOf('~') != -1) {
                 key = unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {

src/core.ts+5 −2 modified

@@ -251,8 +251,11 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
         key = unescapePathComponent(key);
       }
 
-      if(banPrototypeModifications && key == '__proto__') {
-        throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+      if(banPrototypeModifications && 
+          (key == '__proto__' || 
+          (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))
+        ) {
+        throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
       }
 
       if (validateOperation) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/Starcounter-Jack/JSON-Patch/commit/7ad6af41eabb2d799f698740a91284d762c955c9ghsapatchWEB
github.com/Starcounter-Jack/JSON-Patch/releases/tag/3.1.1ghsapatchWEB
github.com/Starcounter-Jack/JSON-Patch/pull/262ghsaexploitissue-trackingpatchWEB
github.com/advisories/GHSA-8gh8-hqwg-xf34ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-4279ghsaADVISORY
blog.effectrenan.com/pwn2win-2021-illusion-web-challengeghsaWEB
vuldb.comghsasignaturepermissions-requiredWEB
vuldb.comghsavdb-entryWEB
www.huntr.dev/bounties/1-npm-fast-json-patchghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000