Moderate severityNVD Advisory· Published Jan 4, 2022· Updated Apr 23, 2025

JavaScript Prototype Pollution in oro/platform

CVE-2021-43852

Description

OroPlatform 4.2.7 and earlier are vulnerable to client-side JavaScript prototype pollution via crafted requests, leading to potential code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OroPlatform 4.2.7 and earlier are vulnerable to client-side JavaScript prototype pollution via crafted requests, leading to potential code execution.

Vulnerability

OroPlatform versions prior to 4.2.8 are affected by a client-side JavaScript prototype pollution vulnerability [1][2]. By sending a specially crafted request, an attacker can inject properties into existing JavaScript language construct prototypes, such as objects [1]. The vulnerability resides in the setValue function within src/Oro/Bundle/UIBundle/Resources/public/js [4]. The fix adds a check to prevent setting properties on __proto__ [4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing strings like __proto__, constructor[prototype], or constructor.prototype [1]. No authentication is required, and the attack can be performed remotely with low complexity [2]. The attacker does not need user interaction beyond the victim accessing a page that processes the malicious request [2].

Impact

Successful exploitation allows an attacker to pollute the Object prototype, which can lead to JavaScript code execution by libraries that are vulnerable to prototype pollution [1]. This can result in compromise of confidentiality, integrity, and availability depending on the application context [2]. The scope may change as the vulnerable component can impact resources beyond its security scope [2].

Mitigation

The issue has been patched in OroPlatform version 4.2.8 [1]. Users unable to upgrade can configure a firewall to drop requests containing the strings __proto__, constructor[prototype], and constructor.prototype [1]. The commit 62c2693 implements the fix by adding a check in the setValue function [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
oro/platformPackagist	>= 4.1.0, < 4.1.14	4.1.14
oro/platformPackagist	>= 4.2.0, < 4.2.8	4.2.8

Affected products

ghsa-coords
pkg:composer/oro/platform
Range: >= 4.1.0, < 4.1.14
oroinc/platformv5
Range: < 4.2.8

Patches

62c26936b3ad

BAP-21092: JavaScript Prototype Pollution (#31464)

https://github.com/oroinc/platformHryhorii HrebiniukDec 24, 2021via ghsa

commit

1 file changed · +4 −0

src/Oro/Bundle/UIBundle/Resources/public/js/tools.js+4 −0 modified

@@ -85,6 +85,10 @@ define(function(require) {
                 query = query.slice(1);
             }
             const setValue = function(root, path, value) {
+                if (path[0] === '__proto__') {
+                    // Prevent Object.prototype pollution
+                    return;
+                }
                 if (path.length > 1) {
                     const dir = path.shift();
                     if (typeof root[dir] === 'undefined') {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jx5q-g37m-h5hjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-43852ghsaADVISORY
github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9ghsax_refsource_MISCWEB
github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hjghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000