CVE-2021-3918 Overview
CVE-2021-3918 is a Prototype Pollution vulnerability affecting the json-schema npm package. This vulnerability allows attackers to modify the prototype of JavaScript objects through improperly controlled modification of object prototype attributes, potentially leading to remote code execution, denial of service, or property injection attacks.
Critical Impact
This prototype pollution vulnerability in json-schema can allow unauthenticated remote attackers to inject arbitrary properties into JavaScript object prototypes, potentially enabling remote code execution, authentication bypass, or denial of service across applications using the affected library.
Affected Products
- json-schema npm package (all versions prior to patch)
- Debian Linux 10.0
- Applications and services utilizing the vulnerable json-schema library
Discovery Timeline
- 2021-11-13 - CVE CVE-2021-3918 published to NVD
- 2025-01-17 - Last updated in NVD database
Technical Details for CVE-2021-3918
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The json-schema library failed to properly sanitize user-controlled input when processing schema definitions, specifically allowing the __proto__ property to be used for schema default and coerce operations.
In JavaScript, all objects inherit properties from their prototype chain. When an attacker can modify the prototype of a base object (like Object.prototype), they can inject properties that become available on all objects in the application. This can lead to severe security consequences including arbitrary code execution, authentication bypass, and denial of service.
Root Cause
The root cause lies in the lib/validate.js file where the library iterates over object type definitions without filtering out dangerous properties like __proto__. The vulnerable code used a simple hasOwnProperty check without explicitly excluding prototype-modifying properties, allowing attackers to inject malicious values through the object prototype chain during schema validation operations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft malicious JSON input containing __proto__ properties that, when processed by the vulnerable json-schema library, pollutes the JavaScript object prototype. This affects all objects subsequently created in the application context, potentially leading to:
- Remote code execution through polluted properties used in dynamic function calls
- Authentication bypass by injecting admin or privileged role properties
- Denial of service by corrupting application state
The following patch shows the security fix implemented to address this vulnerability:
}
for(var i in objTypeDef){
- if(objTypeDef.hasOwnProperty(i)){
+ if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){
var value = instance[i];
// skip _not_ specified properties
if (value === undefined && options.existingOnly) continue;
Source: GitHub Commit
The fix adds an explicit check to exclude the __proto__ property from being processed during schema validation, preventing prototype pollution attacks.
Detection Methods for CVE-2021-3918
Indicators of Compromise
- Unexpected properties appearing on JavaScript objects that were not explicitly defined
- Application behavior changes or crashes related to object property access
- Error logs indicating undefined properties or type mismatches where none should exist
- Network traffic containing JSON payloads with __proto__, constructor, or prototype keys
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable json-schema versions in your dependency tree
- Monitor application logs for unexpected property access patterns or prototype-related errors
- Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
- Use static analysis tools to identify direct usage of the vulnerable json-schema library
Monitoring Recommendations
- Enable detailed logging for JSON parsing operations in applications using json-schema
- Configure Web Application Firewalls (WAF) to detect and block payloads containing __proto__ or prototype manipulation patterns
- Implement alerting for unexpected application crashes or behavior anomalies that may indicate prototype pollution exploitation
- Monitor npm audit reports and dependency vulnerability scans for json-schema vulnerabilities
How to Mitigate CVE-2021-3918
Immediate Actions Required
- Update the json-schema npm package to the latest patched version immediately
- Run npm audit or yarn audit to identify all instances of vulnerable json-schema in your dependency tree
- Review application code for direct usage of json-schema validation functions
- Implement input validation to reject JSON payloads containing __proto__, constructor, or prototype keys
Patch Information
The vulnerability has been addressed in a commit to the json-schema repository. Apply the security patch by updating to a version containing commit 22f146111f541d9737e832823699ad3528ca7741. For detailed patch information, refer to the GitHub Commit and the Huntr Bounty Report.
For Debian Linux 10.0 systems, refer to the Debian LTS Security Announcement for package updates. NetApp customers should review the NetApp Security Advisory.
Workarounds
- Implement middleware or input sanitization to recursively remove __proto__, constructor, and prototype keys from incoming JSON data before processing
- Use Object.freeze(Object.prototype) at application startup to prevent prototype modifications (note: this may break some legitimate functionality)
- Consider using alternative JSON schema validation libraries that are not affected by this vulnerability
- Deploy network-level filtering to block requests containing prototype pollution payloads
# Configuration example
# Update json-schema to the latest patched version
npm update json-schema
# Audit your project for vulnerable dependencies
npm audit
# If json-schema is a transitive dependency, force resolution to patched version
# Add to package.json:
# "overrides": {
# "json-schema": ">=0.4.0"
# }
# For yarn users
yarn audit
yarn upgrade json-schema
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
