CVE-2021-44908
Description
Sails.js <=1.4.0 is vulnerable to Prototype Pollution via the loadActionModules() function in controller/load-action-modules.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sails.js <=1.4.0 is vulnerable to Prototype Pollution via the loadActionModules() function in controller/load-action-modules.js.
Vulnerability
In Sails.js (Sails) version 1.4.0 and earlier, the loadActionModules() function in lib/app/private/controller/load-action-modules.js is vulnerable to Prototype Pollution. This occurs when untrusted user input is processed by the function, allowing an attacker to pollute the Object prototype with arbitrary properties. The affected function is used to load controller action modules during application startup or when sails.reloadActions() is called [1][2].
Exploitation
An attacker can exploit this vulnerability by sending specially crafted input to a Sails.js application, which is then processed by the vulnerable loadActionModules() function. The attacker does not require authentication but must be able to provide input that reaches the vulnerable code path, such as through request parameters or configuration files. The function's handling of object properties without proper sanitization allows the attacker to inject properties like __proto__ or constructor.prototype to pollute the prototype chain [1][3].
Impact
Successful exploitation enables Prototype Pollution, which can lead to a range of security impacts including arbitrary code execution, denial of service, or property injection affecting the entire application. The attacker can manipulate properties inherited by all objects, potentially bypassing security checks or altering application behavior. The severity is considered high, with potential CVSS v3.1 score of 9.8 (Critical) according to some assessments [1].
Mitigation
As of the published date (2022-03-17), no patch has been released for Sails.js version 1.4.0 or earlier. The official GitHub repository contains a commit that adds a security note recommending against dynamically replacing controller/action files with untrusted code [4]. However, this is a workaround, not a fix. Users should monitor for updates and consider restricting untrusted input that reaches the loadActionModules() function until a patched version is available [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sailsnpm | <= 1.5.2 | — |
Affected products
2- SailsJS/Sails.jsdescription
Patches
17c5379a656bbcloses https://github.com/balderdashy/sails/issues/7209
1 file changed · +3 −0
docs/reference/application/advanced-usage/sails.reloadActions.md+3 −0 modified@@ -25,6 +25,9 @@ This method is useful primarily in development scenarios. | 1 | _options_ | ((dictionary?)) | Currently accepts one key, `hooksToSkip`, which if given should be an array of names of hooks that should _not_ call their `reloadActions` method. | 2 | _callback_ | ((function)) | A callback to be called with the virtual response. +### Notes +> - Never dynamically replace your Sails.js controller or action files on disk with untrusted code at runtime, regardless of whether you are using `.reloadActions()` in your app or not. Since `reloadActions()` runs the code in your Sails.js app's files, if the files are not safe to run, then using `reloadActions()` would be [a security risk](https://github.com/balderdashy/sails/issues/7209). This risk is only present if your Sails app is deliberately overwriting its own files to replace them with unsafe code. + <docmeta name="displayName" value="sails.reloadActions()"> <docmeta name="pageType" value="method">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8v3j-jfg3-v3fvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44908ghsaADVISORY
- github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zipghsax_refsource_MISCWEB
- github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.jsghsax_refsource_MISCWEB
- github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358ghsaWEB
- github.com/balderdashy/sails/issues/7209ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.