VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 28, 2022· Updated May 7, 2025

CVE-2022-37621

CVE-2022-37621

Description

Prototype pollution in browserify-shim's resolveShims function allows attackers to pollute Object.prototype via crafted fullPath input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in browserify-shim's resolveShims function allows attackers to pollute Object.prototype via crafted fullPath input.

Vulnerability

Description CVE-2022-37621 is a prototype pollution vulnerability in the resolveShims function of the resolve-shims.js file in the browserify-shim package (version 3.8.15). The flaw occurs when the fullPath variable is used to set properties on an object without proper sanitization, allowing an attacker to inject properties into the global Object.prototype [1][2]. This is a classic prototype pollution pattern where user-controlled input can modify the prototype chain of all objects.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious fullPath value that contains special keys like __proto__ or constructor.prototype. When the resolveShims function processes this input, it pollutes the prototype of all objects in the application [3][4]. The attack requires the ability to influence the fullPath variable, which may be achieved through a malicious package.json or shim configuration file. No authentication is needed if the attacker can supply such a file to the build process.

Impact

Successful exploitation allows an attacker to pollute Object.prototype, leading to potential property injection across the entire application. This can result in denial of service, unexpected behavior, or in some cases, arbitrary code execution if the polluted properties are used in security-sensitive operations [3]. The impact is amplified in server-side or build-time contexts where the polluted prototype affects all subsequent object operations.

Mitigation

The vulnerability has been patched in a commit to the browserify-shim repository [2]. Users should update to a version that includes the fix (e.g., after commit 97855e6). There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog. As a workaround, users can avoid processing untrusted shim configurations or sanitize input before passing it to resolveShims.

References
  1. GitHub - thlorenz/browserify-shim: 📩 Makes CommonJS incompatible files browserifyable.
  2. resolve-shims: prevent prototype manipulation (#246) · thlorenz/browserify-shim@97855e6
  3. NVD - CVE-2022-37621
  4. browserify-shim/lib/resolve-shims.js at 464b32bbe142664cd9796059798f6c738ea3de8f · thlorenz/browserify-shim

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
browserify-shimnpm
< 3.8.163.8.16

Affected products

2

Patches

1
97855e622b6d

resolve-shims: prevent prototype manipulation (#246)

https://github.com/thlorenz/browserify-shimBen DruckerOct 14, 2022via ghsa
commit
1 file changed · +5 0
  • lib/resolve-shims.js+5 0 modified
    @@ -123,6 +123,11 @@ function separateExposeGlobals(shims) {
     , exposeGlobals = {};
 
   Object.keys(shims).forEach(function (k) {
+    // https://github.com/thlorenz/browserify-shim/issues/245
+    if (k === '__proto__' || k === 'constructor') {
+      return;
+    }
+
     var val = shims[k]
       , exp = val && val.exports;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.