High severityNVD Advisory· Published Apr 6, 2022· Updated Aug 4, 2024

CVE-2021-43138

Description

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in Async's mapValues() allows attackers to inject properties into Object prototype, leading to privilege escalation in Node.js applications.

Vulnerability

Prototype pollution vulnerability exists in Async library's mapValues() method, specifically in the createObjectIterator function in lib/internal/iterator.js. Affected versions are Async before 2.6.4 and 3.x before 3.2.2. An attacker can pass a crafted iterator that pollutes the Object prototype, allowing arbitrary property injection [2][4].

Exploitation

An attacker needs to supply a malicious iteratee function to mapValues() that modifies the __proto__ or constructor.prototype of the objects being iterated. No authentication is required if the attacker can control the input to mapValues(). The vulnerability can be triggered in Node.js environments where Async is used [1][3].

Impact

Successful exploitation results in prototype pollution, which can lead to privilege escalation, denial of service, or remote code execution depending on the application's use of polluted properties. The attacker can modify global objects, potentially bypass security checks or inject malicious behavior [2].

Mitigation

Fixed in Async versions 2.6.4 and 3.2.2. Users should upgrade to these versions. No EOL status; the library continues to be maintained. No workaround is available besides upgrading [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
asyncnpm	>= 3.0.0, < 3.2.2	3.2.2
asyncnpm	>= 2.0.0, < 2.6.4	2.6.4

Affected products

132

Async/Asyncdescription
ghsa-coords131 versions
pkg:npm/async pkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/golang-github-lusitaniae-apache_exporter&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/prometheus-postgres_exporter&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/wire&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/wire&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/bind&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/bind&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205 pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205 pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205 pkg:rpm/suse/drools&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.3 pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Server%20Module%204.3 pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205 pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4 pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5 pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/httpcomponents-asyncclient&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/image-sync-formula&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/inter-server-sync&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/kiwi-desc-saltboot&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/patterns-suse-manager&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205 pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/py27-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/python-pyvmomi&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.2 pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.2 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.3 pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/salt-netapi-client&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-proxy&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-search&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-tftpsync-recv&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/system-user-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012-BETA pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015-BETA pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205 pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205 pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2012 pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2015 pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.3
>= 3.0.0, < 3.2.2+ 130 more
- (no CPE)range: >= 3.0.0, < 3.2.2
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 9.5.1-150200.3.41.3
- (no CPE)range: < 9.5.8-150200.3.53.2
- (no CPE)range: < 0.10.1-150000.1.17.1
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 0.5.0-150000.1.12.3
- (no CPE)range: < 0.5.0-150000.1.12.3
- (no CPE)range: < 2.9.27-159000.3.9.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 9.16.6-150000.12.65.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-150000.1.50.1
- (no CPE)range: < 7.17.0-150300.4.6.2
- (no CPE)range: < 1.6-4.9.2
- (no CPE)range: < 1.6-159000.4.9.1
- (no CPE)range: < 1.0.0-1.21.2
- (no CPE)range: < 1.0.0-4.12.4
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 1.0.0-159000.4.12.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 1.0.0-150000.1.20.1
- (no CPE)range: < 0.26.0-1.24.2
- (no CPE)range: < 0.26.0-4.12.4
- (no CPE)range: < 1.5.0-4.15.4
- (no CPE)range: < 2.45.0-1.50.2
- (no CPE)range: < 2.45.0-4.33.3
- (no CPE)range: < 2.45.0-150000.3.53.1
- (no CPE)range: < 2.45.0-159000.6.33.1
- (no CPE)range: < 0.14.0-4.12.2
- (no CPE)range: < 0.4.0-4.6.2
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 9.5.1-150200.3.41.3
- (no CPE)range: < 9.5.8-150200.3.53.2
- (no CPE)range: < 9.5.1-1.48.1
- (no CPE)range: < 9.5.8-4.21.2
- (no CPE)range: < 9.5.1-150000.1.48.5
- (no CPE)range: < 9.5.8-159000.4.24.1
- (no CPE)range: < 4.1.4-150300.3.3.2
- (no CPE)range: < 0.1.1661440526.b08d95b-150300.3.3.2
- (no CPE)range: < 0.2.3-150300.8.22.2
- (no CPE)range: < 0.1.1687520761.cefb248-4.15.2
- (no CPE)range: < 4.3.7-1.41.1
- (no CPE)range: < 4.3.7-150000.1.41.1
- (no CPE)range: < 4.2.10-150300.2.9.4
- (no CPE)range: < 5.0.1-4.21.4
- (no CPE)range: < 5.0.1-159000.4.21.1
- (no CPE)range: < 4.2-150300.4.12.2
- (no CPE)range: < 4.2-150300.4.12.2
- (no CPE)range: < 0.24.0-3.6.3
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.10.1-1.17.2
- (no CPE)range: < 0.10.1-3.6.4
- (no CPE)range: < 0.10.1-150000.1.17.1
- (no CPE)range: < 0.10.1-159000.3.6.1
- (no CPE)range: < 3000.3-150300.7.7.23.2
- (no CPE)range: < 2.3.5-15.12.2
- (no CPE)range: < 2.3.5-159000.5.13.1
- (no CPE)range: < 6.7.3-159000.3.6.1
- (no CPE)range: < 4.2.9-150300.3.54.1
- (no CPE)range: < 4.3.2-150400.3.15.1
- (no CPE)range: < 4.2.9-150300.3.43.1
- (no CPE)range: < 4.3.2-150400.3.9.3
- (no CPE)range: < 4.2.9-150300.3.43.1
- (no CPE)range: < 4.3.2-150400.3.9.3
- (no CPE)range: < 5.0.1-24.30.3
- (no CPE)range: < 5.0.1-159000.6.30.1
- (no CPE)range: < 0.1.1661440526.b08d95b-150300.3.12.2
- (no CPE)range: < 0.20.0-150300.3.9.4
- (no CPE)range: < 4.3.21-38.121.1
- (no CPE)range: < 5.0.1-41.42.3
- (no CPE)range: < 4.3.21-150000.3.98.1
- (no CPE)range: < 5.0.1-159000.6.42.1
- (no CPE)range: < 4.2.19-150300.4.27.2
- (no CPE)range: < 4.2.19-150300.4.27.2
- (no CPE)range: < 4.2.12-150300.3.15.3
- (no CPE)range: < 4.2.24-150300.4.29.5
- (no CPE)range: < 4.2.24-150300.4.29.5
- (no CPE)range: < 4.2.18-150300.3.24.3
- (no CPE)range: < 4.2.18-150300.3.24.3
- (no CPE)range: < 4.3.18-52.95.2
- (no CPE)range: < 4.3.18-150000.3.86.2
- (no CPE)range: < 5.0.1-159000.6.48.1
- (no CPE)range: < 4.2.20-150300.4.24.3
- (no CPE)range: < 4.2.20-150300.4.24.3
- (no CPE)range: < 4.2.41-150300.3.43.5
- (no CPE)range: < 4.2.12-150300.3.21.3
- (no CPE)range: < 4.2.8-150300.3.12.2
- (no CPE)range: < 4.2.29-150300.3.27.3
- (no CPE)range: < 4.2.29-150300.3.27.3
- (no CPE)range: < 0.29-150300.6.12.2
- (no CPE)range: < 1.2.2-9.9.2
- (no CPE)range: < 1.2.2-159000.5.9.1
- (no CPE)range: < 5.0.1-9.15.2
- (no CPE)range: < 5.0.1-159000.6.15.1
- (no CPE)range: < 4.2.37-150300.3.41.1
- (no CPE)range: < 4.2-150300.12.33.4
- (no CPE)range: < 4.2-150300.12.33.2
- (no CPE)range: < 4.2.24-150300.3.27.3
- (no CPE)range: < 4.2.27-150300.3.33.4
- (no CPE)range: < 4.2.5-150300.3.6.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 4.3.8-1.33.1
- (no CPE)range: < 5.0.1-3.33.3
- (no CPE)range: < 4.3.8-150000.1.33.1
- (no CPE)range: < 5.0.1-159000.3.33.1
- (no CPE)range: < 4.2.7-150300.3.9.2
- (no CPE)range: < 4.2.7-150300.3.9.2
- (no CPE)range: < 4.3.10-150000.1.15.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 4.3.10-150000.1.15.1
- (no CPE)range: < 1.0.14-30.42.1
- (no CPE)range: < 1.0.14-150000.3.35.1
- (no CPE)range: < 1.0.14-150000.3.35.1
- (no CPE)range: < 1.0.14-150000.3.35.1

Patches

8f7f90342a65

Fix prototype pollution vulnerability (#1828)

https://github.com/caolan/asyncMatt RiedemannApr 13, 2022via ghsa

commit

2 files changed · +14 −0

lib/internal/iterator.js+3 −0 modified

@@ -27,6 +27,9 @@ function createObjectIterator(obj) {
     var len = okeys.length;
     return function next() {
         var key = okeys[++i];
+        if (key === '__proto__') {
+            return next();
+        }
         return i < len ? {value: obj[key], key: key} : null;
     };
 }

mocha_test/mapValues.js+11 −0 modified

@@ -39,6 +39,17 @@ describe('mapValues', function () {
                 done();
             });
         });
+
+        it('prototype pollution', (done) => {
+            var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "exploit": true }}');
+
+            async.mapValues(input, (val, key, next) => {
+                next(null, val)
+            }, (err, result) => {
+                expect(result.exploit).to.equal(undefined)
+                done(err);
+            })
+        })
     });
 
     context('mapValues', function () {

e1ecdbf79264

Fix prototype pollution vulnerability

https://github.com/caolan/asyncAlexander EarlyOct 28, 2021via ghsa

commit

2 files changed · +14 −0

lib/internal/iterator.js+3 −0 modified

@@ -26,6 +26,9 @@ function createObjectIterator(obj) {
     var len = okeys.length;
     return function next() {
         var key = okeys[++i];
+        if (key === '__proto__') {
+            return next();
+        }
         return i < len ? {value: obj[key], key} : null;
     };
 }

test/mapValues.js+11 −0 modified

@@ -60,6 +60,17 @@ describe('mapValues', () => {
                 done();
             }, 50);
         });
+
+        it('prototype pollution', (done) => {
+            var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "exploit": true }}');
+
+            async.mapValues(input, (val, key, next) => {
+                next(null, val)
+            }, (err, result) => {
+                expect(result.exploit).to.equal(undefined)
+                done(err);
+            })
+        })
     });
 
     context('mapValues', () => {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000