Critical severityNVD Advisory· Published Mar 17, 2022· Updated Aug 4, 2024

CVE-2021-44906

Description

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Minimist <=1.2.5 contains a Prototype Pollution vulnerability in its setKey() function, allowing attackers to pollute Object.prototype.

Vulnerability

Minimist versions up to and including 1.2.5 are vulnerable to Prototype Pollution via the setKey() function in index.js (lines 69–95) [1][2]. The flaw occurs when the library parses command-line arguments and assigns nested properties without filtering dangerous keys such as __proto__, constructor, or prototype. This affects all applications that use minimist to parse untrusted input [2].

Exploitation

An attacker can provide a specially crafted command-line argument string containing __proto__ keys (e.g., --__proto__.polluted true) to trigger the vulnerability. No authentication or special privileges are required; the attacker only needs the ability to pass arguments to a process that uses the vulnerable minimist version. The setKey() function recursively assigns properties, allowing the attacker to overwrite Object.prototype [2][3].

Impact

Successful exploitation leads to Prototype Pollution, which can alter the behavior of all JavaScript objects in the application. This may result in denial of service (by triggering exceptions) or, in some cases, remote code execution if the polluted property is used in a security-sensitive context [2]. The attacker gains the ability to manipulate application logic across the entire runtime environment.

Mitigation

A fix was released in minimist version 1.2.6 on 2022-03-22 [4]. Users should upgrade to 1.2.6 or later. If immediate upgrade is not possible, developers can sanitize input before passing it to minimist or disable parsing of nested keys. No workaround is provided in the references, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of 2025-03-21.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
minimistnpm	>= 1.0.0, < 1.2.6	1.2.6
minimistnpm	< 0.2.4	0.2.4

Affected products

Minimist/Minimistdescription
ghsa-coords84 versions
pkg:npm/minimist pkg:rpm/almalinux/nodejs pkg:rpm/almalinux/nodejs-devel pkg:rpm/almalinux/nodejs-docs pkg:rpm/almalinux/nodejs-full-i18n pkg:rpm/almalinux/nodejs-libs pkg:rpm/almalinux/nodejs-nodemon pkg:rpm/almalinux/nodejs-packaging pkg:rpm/almalinux/npm pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.4 pkg:rpm/suse/inter-server-sync&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/nodejs10&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/nodejs10&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/nodejs10&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/nodejs12&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012 pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3 pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/nodejs12&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/nodejs14&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012 pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3 pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/nodejs14&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/prometheus-formula&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.2 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.2 pkg:rpm/suse/salt-netapi-client&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Proxy%20Module%204.2 pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/susemanager-sync-data&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/virtual-host-gatherer&distro=SUSE%20Manager%20Server%20Module%204.2
>= 1.0.0, < 1.2.6+ 83 more
- (no CPE)range: >= 1.0.0, < 1.2.6
- (no CPE)range: < 1:16.18.1-3.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 1:16.18.1-3.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 1:16.18.1-3.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 1:16.18.1-3.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 1:16.18.1-3.el9_1
- (no CPE)range: < 2.0.20-2.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 25-1.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:8.19.2-1.16.18.1.3.module_el8.7.0+3371+ed8c43db
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 8.17.0-150200.10.22.1
- (no CPE)range: < 8.17.0-150200.10.22.1
- (no CPE)range: < 0.2.2-150300.8.17.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 10.24.1-150000.1.44.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-1.48.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 12.22.12-150200.4.32.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-6.28.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 14.19.1-150200.15.31.1
- (no CPE)range: < 0.6.2-150300.3.14.1
- (no CPE)range: < 4.2.7-150300.3.44.1
- (no CPE)range: < 4.2.7-150300.3.31.2
- (no CPE)range: < 4.2.7-150300.3.31.2
- (no CPE)range: < 0.19.0-150300.3.6.1
- (no CPE)range: < 1.7.10-0.150300.3.6.1
- (no CPE)range: < 4.2.17-150300.4.21.4
- (no CPE)range: < 4.2.17-150300.4.21.4
- (no CPE)range: < 4.2.22-150300.4.23.1
- (no CPE)range: < 4.2.22-150300.4.23.1
- (no CPE)range: < 4.2.16-150300.3.18.3
- (no CPE)range: < 4.2.16-150300.3.18.3
- (no CPE)range: < 4.2.38-150300.3.35.1
- (no CPE)range: < 4.2.16-150300.3.15.5
- (no CPE)range: < 4.2.27-150300.3.21.7
- (no CPE)range: < 4.2.27-150300.3.21.7
- (no CPE)range: < 1.2.0-150300.3.3.1
- (no CPE)range: < 1.2.0-150300.3.3.1
- (no CPE)range: < 4.2.32-150300.3.31.1
- (no CPE)range: < 4.2-150300.12.27.6
- (no CPE)range: < 4.2-150300.12.27.1
- (no CPE)range: < 4.2.22-150300.3.21.6
- (no CPE)range: < 4.2.23-150300.3.25.4
- (no CPE)range: < 4.2.12-150300.3.18.3
- (no CPE)range: < 1.0.23-150300.3.3.1

Patches

34e20b846111

[Robustness] rework isConstructorOrProto

https://github.com/minimistjs/minimistJohn GeeFeb 17, 2023via ghsa

commit

1 file changed · +3 −3

index.js+3 −3 modified

@@ -7,7 +7,7 @@ function isNumber(x) {
 }
 
 function isConstructorOrProto(obj, key) {
-	return key === 'constructor' && (typeof obj[key] === 'function' || key === '__proto__');
+	return (key === 'constructor' && typeof obj[key] === 'function') || key === '__proto__';
 }
 
 function hasKey(obj, keys) {
@@ -25,7 +25,7 @@ function setKey(obj, keys, value) {
 	var key;
 	for (var i = 0; i < keys.length - 1; i++) {
 		key = keys[i];
-		if (key === '__proto__' || isConstructorOrProto(o, key)) {
+		if (isConstructorOrProto(o, key)) {
 			return;
 		}
 		if (o[key] === undefined) { o[key] = {}; }
@@ -41,7 +41,7 @@ function setKey(obj, keys, value) {
 	}
 
 	key = keys[keys.length - 1];
-	if (key === '__proto__') { return; }
+	if (isConstructorOrProto(o, key)) { return; }
 	if (
 		o === Object.prototype
 		|| o === Number.prototype

ef9153fc52b6

isConstructorOrProto adapted from PR

https://github.com/minimistjs/minimistsubstackMar 22, 2022via ghsa

commit

1 file changed · +7 −1

index.js+7 −1 modified

@@ -6,6 +6,10 @@ function isNumber(x) {
 	return (/^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/).test(x);
 }
 
+function isConstructorOrProto(obj, key) {
+	return key === 'constructor' && (typeof obj[key] === 'function' || key === '__proto__');
+}
+
 function hasKey(obj, keys) {
 	var o = obj;
 	keys.slice(0, -1).forEach(function (key) {
@@ -21,7 +25,9 @@ function setKey(obj, keys, value) {
 	var key;
 	for (var i = 0; i < keys.length - 1; i++) {
 		key = keys[i];
-		if (key === '__proto__') { return; }
+		if (key === '__proto__' || isConstructorOrProto(o, key)) {
+			return;
+		}
 		if (o[key] === undefined) { o[key] = {}; }
 		if (
 			o[key] === Object.prototype

c2b981977fa8

isConstructorOrProto adapted from PR

https://github.com/minimistjs/minimistsubstackMar 22, 2022via ghsa

commit

1 file changed · +6 −2

index.js+6 −2 modified

@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         for (var i = 0; i < keys.length-1; i++) {
             var key = keys[i];
-            if (key === '__proto__') return;
+            if (isConstructorOrProto(o, key)) return;
             if (o[key] === undefined) o[key] = {};
             if (o[key] === Object.prototype || o[key] === Number.prototype
                 || o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
         }
 
         var key = keys[keys.length - 1];
-        if (key === '__proto__') return;
+        if (isConstructorOrProto(o, key)) return;
         if (o === Object.prototype || o === Number.prototype
             || o === String.prototype) o = {};
         if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
     return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
 }
 
+
+function isConstructorOrProto (obj, key) {
+    return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}

bc8ecee43875

test from prototype pollution PR

https://github.com/minimistjs/minimistsubstackMar 22, 2022via ghsa

commit

1 file changed · +16 −0

test/proto.js+16 −0 modified

@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
     t.equal(argv.y, undefined);
     t.end();
 });
+
+test('proto pollution (constructor function)', function (t) {
+    var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+    function fnToBeTested() {}
+    t.equal(fnToBeTested.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+    var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+    t.equal((function(){}).foo, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+})

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000