The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-3918

CVE-2021-3918: Json-schema Prototype Pollution Flaw

CVE-2021-3918 is a prototype pollution vulnerability in json-schema that allows attackers to modify object prototype attributes. This article covers the technical details, affected versions, and remediation.

Published: February 25, 2026

CVE-2021-3918 Overview

CVE-2021-3918 is a Prototype Pollution vulnerability affecting the json-schema npm package. This vulnerability allows attackers to modify the prototype of JavaScript objects through improperly controlled modification of object prototype attributes, potentially leading to remote code execution, denial of service, or property injection attacks.

Critical Impact

This prototype pollution vulnerability in json-schema can allow unauthenticated remote attackers to inject arbitrary properties into JavaScript object prototypes, potentially enabling remote code execution, authentication bypass, or denial of service across applications using the affected library.

Affected Products

  • json-schema npm package (all versions prior to patch)
  • Debian Linux 10.0
  • Applications and services utilizing the vulnerable json-schema library

Discovery Timeline

  • 2021-11-13 - CVE CVE-2021-3918 published to NVD
  • 2025-01-17 - Last updated in NVD database

Technical Details for CVE-2021-3918

Vulnerability Analysis

This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The json-schema library failed to properly sanitize user-controlled input when processing schema definitions, specifically allowing the __proto__ property to be used for schema default and coerce operations.

In JavaScript, all objects inherit properties from their prototype chain. When an attacker can modify the prototype of a base object (like Object.prototype), they can inject properties that become available on all objects in the application. This can lead to severe security consequences including arbitrary code execution, authentication bypass, and denial of service.

Root Cause

The root cause lies in the lib/validate.js file where the library iterates over object type definitions without filtering out dangerous properties like __proto__. The vulnerable code used a simple hasOwnProperty check without explicitly excluding prototype-modifying properties, allowing attackers to inject malicious values through the object prototype chain during schema validation operations.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can craft malicious JSON input containing __proto__ properties that, when processed by the vulnerable json-schema library, pollutes the JavaScript object prototype. This affects all objects subsequently created in the application context, potentially leading to:

  • Remote code execution through polluted properties used in dynamic function calls
  • Authentication bypass by injecting admin or privileged role properties
  • Denial of service by corrupting application state

The following patch shows the security fix implemented to address this vulnerability:

javascript
 			}
 			
 			for(var i in objTypeDef){ 
-				if(objTypeDef.hasOwnProperty(i)){
+				if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){
 					var value = instance[i];
 					// skip _not_ specified properties
 					if (value === undefined && options.existingOnly) continue;

Source: GitHub Commit

The fix adds an explicit check to exclude the __proto__ property from being processed during schema validation, preventing prototype pollution attacks.

Detection Methods for CVE-2021-3918

Indicators of Compromise

  • Unexpected properties appearing on JavaScript objects that were not explicitly defined
  • Application behavior changes or crashes related to object property access
  • Error logs indicating undefined properties or type mismatches where none should exist
  • Network traffic containing JSON payloads with __proto__, constructor, or prototype keys

Detection Strategies

  • Implement Software Composition Analysis (SCA) tools to identify vulnerable json-schema versions in your dependency tree
  • Monitor application logs for unexpected property access patterns or prototype-related errors
  • Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
  • Use static analysis tools to identify direct usage of the vulnerable json-schema library

Monitoring Recommendations

  • Enable detailed logging for JSON parsing operations in applications using json-schema
  • Configure Web Application Firewalls (WAF) to detect and block payloads containing __proto__ or prototype manipulation patterns
  • Implement alerting for unexpected application crashes or behavior anomalies that may indicate prototype pollution exploitation
  • Monitor npm audit reports and dependency vulnerability scans for json-schema vulnerabilities

How to Mitigate CVE-2021-3918

Immediate Actions Required

  • Update the json-schema npm package to the latest patched version immediately
  • Run npm audit or yarn audit to identify all instances of vulnerable json-schema in your dependency tree
  • Review application code for direct usage of json-schema validation functions
  • Implement input validation to reject JSON payloads containing __proto__, constructor, or prototype keys

Patch Information

The vulnerability has been addressed in a commit to the json-schema repository. Apply the security patch by updating to a version containing commit 22f146111f541d9737e832823699ad3528ca7741. For detailed patch information, refer to the GitHub Commit and the Huntr Bounty Report.

For Debian Linux 10.0 systems, refer to the Debian LTS Security Announcement for package updates. NetApp customers should review the NetApp Security Advisory.

Workarounds

  • Implement middleware or input sanitization to recursively remove __proto__, constructor, and prototype keys from incoming JSON data before processing
  • Use Object.freeze(Object.prototype) at application startup to prevent prototype modifications (note: this may break some legitimate functionality)
  • Consider using alternative JSON schema validation libraries that are not affected by this vulnerability
  • Deploy network-level filtering to block requests containing prototype pollution payloads
bash
# Configuration example
# Update json-schema to the latest patched version
npm update json-schema

# Audit your project for vulnerable dependencies
npm audit

# If json-schema is a transitive dependency, force resolution to patched version
# Add to package.json:
# "overrides": {
#   "json-schema": ">=0.4.0"
# }

# For yarn users
yarn audit
yarn upgrade json-schema

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechJson Schema
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability1.25%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-1321
  • Technical References
  • Debian LTS Announcement
  • NetApp Security Advisory
  • Vendor Resources
  • GitHub Commit Change
  • Huntr Bounty Notification
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English