CVE-2021-23450 Overview
CVE-2021-23450 is a critical Prototype Pollution vulnerability affecting all versions of the Dojo JavaScript toolkit. The vulnerability exists in the setObject function within the _base/lang.js module, allowing attackers to inject properties into JavaScript Object prototypes. This can lead to remote code execution, denial of service, or security mechanism bypass across applications utilizing the affected Dojo package.
Prototype Pollution is a JavaScript-specific vulnerability that allows attackers to modify the prototype of base objects, which can have cascading effects throughout an application. Since JavaScript uses prototype-based inheritance, injected properties can propagate to all objects that inherit from the polluted prototype.
Critical Impact
This vulnerability enables attackers to remotely execute arbitrary code, manipulate application logic, or cause denial of service by polluting JavaScript Object prototypes through the setObject function without requiring authentication or user interaction.
Affected Products
- Linux Foundation Dojo (all versions for Node.js)
- Oracle Communications Policy Management 12.6.0.0.0
- Oracle Primavera Unifier (versions 18.8, 19.12, 20.12, 21.12, and prior)
- Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0
- Debian Linux 10.0
Discovery Timeline
- December 17, 2021 - CVE-2021-23450 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-23450
Vulnerability Analysis
The vulnerability resides in Dojo's setObject function located in _base/lang.js. This function is designed to set a property at a dot-separated namespace path. However, it fails to properly sanitize input paths, allowing an attacker to specify special properties like __proto__, constructor, or prototype that can modify the base Object prototype.
When exploited, this Prototype Pollution attack allows malicious properties to be injected into Object.prototype. Since nearly all JavaScript objects inherit from Object.prototype, these injected properties become accessible across the entire application context. This can lead to various attack scenarios including property injection that bypasses security checks, denial of service through application crashes, or even remote code execution when combined with gadget chains in the application.
The vulnerability is particularly dangerous because it requires no authentication or user interaction to exploit, and can be triggered remotely over the network. Applications that process user-controlled input through Dojo's setObject function are at immediate risk.
Root Cause
The root cause of CVE-2021-23450 is the lack of input validation in the setObject function when processing object path strings. The function does not check whether the provided path contains dangerous prototype-related properties (__proto__, constructor.prototype, etc.) before setting values. This oversight allows attackers to traverse the prototype chain and inject arbitrary properties into base object prototypes, fundamentally altering the behavior of all inheriting objects.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by sending a crafted request to an application that passes user-controlled data to Dojo's setObject function. The malicious input would contain a path targeting prototype properties.
For example, an attacker could provide a path like __proto__.polluted with an arbitrary value, which would then be set on Object.prototype. This polluted property would subsequently appear on all objects created in the application, potentially bypassing security controls, causing unexpected behavior, or enabling further exploitation through application-specific gadgets.
The vulnerability mechanism involves the setObject function parsing the dot-separated path and creating nested objects as needed. Without proper validation, when the path includes __proto__, the function directly accesses and modifies the prototype chain. For detailed technical analysis, see the Snyk vulnerability advisory and the vulnerable code reference on GitHub.
Detection Methods for CVE-2021-23450
Indicators of Compromise
- Unexpected properties appearing on Object.prototype or other base prototypes during runtime inspection
- Application errors or crashes related to unexpected object property values
- Web application logs showing requests with __proto__, constructor, or prototype in parameter values or JSON payloads
- Anomalous behavior in JavaScript applications where objects contain properties that were never explicitly set
Detection Strategies
- Implement application-level logging to capture and alert on input containing prototype pollution patterns such as __proto__, constructor.prototype, or similar path traversals
- Use Static Application Security Testing (SAST) tools to identify usage of the vulnerable setObject function in your codebase
- Deploy Web Application Firewalls (WAF) with rules to detect and block requests containing prototype pollution payloads
- Utilize Software Composition Analysis (SCA) tools to identify the presence of vulnerable Dojo versions in your dependency tree
Monitoring Recommendations
- Monitor application logs for JSON parsing errors or unexpected type errors that may indicate prototype pollution attempts
- Set up alerts for security events in Oracle WebLogic Server, Primavera Unifier, and Communications Policy Management related to JavaScript processing anomalies
- Implement runtime application self-protection (RASP) solutions to detect and block prototype pollution attacks in real-time
- Regularly audit your Node.js and Java application dependencies using npm audit, yarn audit, or Maven/Gradle dependency checking tools
How to Mitigate CVE-2021-23450
Immediate Actions Required
- Conduct an inventory of all applications and systems using Dojo JavaScript toolkit and assess their exposure to untrusted input
- Review application code for usage of the setObject function, particularly where it processes user-controlled data
- Implement input validation to reject or sanitize any input containing __proto__, constructor, or prototype strings before passing to Dojo functions
- Apply vendor patches for affected Oracle products as detailed in the Oracle April 2022 CPU and Oracle July 2022 CPU
Patch Information
Oracle has released security patches addressing this vulnerability in their April 2022 and July 2022 Critical Patch Updates. Organizations using affected Oracle products (Communications Policy Management, Primavera Unifier, WebLogic Server) should apply the appropriate patches from Oracle's April 2022 Security Advisory and Oracle's July 2022 Security Advisory.
For Debian Linux users, security updates have been released as documented in the Debian LTS Announcement.
For applications directly using Dojo via npm or other package managers, check for updated versions that address this vulnerability. Consult the Snyk advisory for SNYK-JS-DOJO-1535223 for the latest remediation guidance.
Workarounds
- Implement a wrapper function around setObject that validates input paths and rejects any containing prototype-related keywords (__proto__, constructor, prototype)
- Use Object.freeze(Object.prototype) in your application initialization to prevent modifications to the base Object prototype, though this may break some functionality
- Deploy Web Application Firewall (WAF) rules to filter requests containing prototype pollution payloads targeting your applications
- Consider replacing usage of setObject with safer alternatives that explicitly prevent prototype traversal, such as lodash's set function with prototype pollution protections enabled
# Configuration example - Input validation for prototype pollution prevention
# Add to your application's input processing layer
# Example WAF rule pattern (ModSecurity format)
SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@rx (__proto__|constructor\s*\[|prototype\s*\[)" \
"id:100001,phase:2,deny,status:403,msg:'Prototype Pollution Attempt Blocked'"
# npm audit to check for vulnerable dependencies
npm audit --audit-level=critical
# For Java/Maven projects using Dojo webjars
mvn dependency:tree | grep -i dojo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
