CVE-2021-43138 Overview
CVE-2021-43138 is a prototype pollution vulnerability in the async JavaScript library, a widely used Node.js utility module for working with asynchronous operations. The flaw exists in the createObjectIterator prototype within lib/internal/iterator.js and is triggered through the mapValues() method. A malicious actor supplying crafted input can pollute Object.prototype, enabling privilege escalation or unexpected behavior in downstream consumers of the library.
The vulnerability affects async versions before 2.6.4 and 3.x versions before 3.2.2. It is classified under [CWE-1321] (Improperly Controlled Modification of Object Prototype Attributes).
Critical Impact
Successful exploitation allows attackers to modify Object.prototype properties, potentially leading to privilege escalation, denial of service, or arbitrary code execution within applications that depend on async.
Affected Products
- async library versions prior to 2.6.4
- async library 3.x versions prior to 3.2.2
- Fedora 36 and Fedora 37 distributions shipping the affected package
Discovery Timeline
- 2022-04-06 - CVE-2021-43138 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43138
Vulnerability Analysis
The async library provides higher-order functions for iterating over collections asynchronously. The mapValues() function internally constructs an object iterator through createObjectIterator in lib/internal/iterator.js. The iterator implementation fails to validate property keys before assigning them, allowing the special key __proto__ to traverse into Object.prototype.
When attacker-controlled data flows into mapValues() as input, properties placed on Object.prototype become visible to every object in the JavaScript runtime. Applications that subsequently consult these polluted properties for authorization decisions, configuration lookups, or template rendering inherit attacker-supplied values.
The practical impact depends on the host application. Common consequences include bypassing access control checks, injecting unexpected fields into serialized output, and triggering remote code execution when polluted gadgets reach child_process or similar sinks.
Root Cause
The root cause is missing key validation inside createObjectIterator. The iterator copies keys from a source object into a result without filtering reserved property names such as __proto__, constructor, or prototype. This pattern matches [CWE-1321], where dynamic property assignment reaches the prototype chain.
Attack Vector
Exploitation requires that user-controlled data reach mapValues() or related iteration methods that share the vulnerable createObjectIterator code path. The CVSS vector indicates local attack vector with user interaction, reflecting scenarios where a developer or operator processes attacker-supplied JSON or configuration through the affected functions.
The upstream fix in commit e1ecdbf79264f9ab488c7799f4c76996d5dca66d (GitHub Commit) and pull request #1828 adds explicit key filtering to prevent prototype access. Reviewing the version comparison v2.6.3 to v2.6.4 shows the precise lines changed.
No public proof-of-concept exploit is listed in CISA KEV, and the EPSS data does not indicate active exploitation in the wild.
Detection Methods for CVE-2021-43138
Indicators of Compromise
- Presence of unexpected properties on Object.prototype at runtime, observable through Object.getOwnPropertyNames(Object.prototype)
- Application logs showing anomalous property access errors or unexpected default values after parsing user-supplied JSON
- Node.js process behavior changes following ingestion of objects containing __proto__ keys
Detection Strategies
- Inventory all Node.js projects and container images for async versions below 2.6.4 or 3.2.2 using software composition analysis tools
- Audit application code for calls to mapValues(), mapValuesLimit(), and mapValuesSeries() that receive untrusted input
- Enable runtime protection that monitors writes to Object.prototype and flags prototype pollution patterns
Monitoring Recommendations
- Track outbound dependency manifests (package.json, package-lock.json, yarn.lock) for pinned vulnerable versions during CI/CD scans
- Forward Node.js application logs to a centralized analytics platform and alert on errors referencing undefined or unexpected properties
- Monitor Fedora 36 and 37 hosts for the affected nodejs-async package using vulnerability management feeds
How to Mitigate CVE-2021-43138
Immediate Actions Required
- Upgrade async to version 2.6.4 or 3.2.2 or later across all Node.js projects and container images
- Rebuild and redeploy applications after dependency updates to ensure the patched version is loaded at runtime
- Apply Fedora package updates referenced in the Fedora package announcement for affected systems
Patch Information
The maintainers fixed the issue in commit e1ecdbf79264f9ab488c7799f4c76996d5dca66d (GitHub Commit) and released it in versions 2.6.4 and 3.2.2. See the v2.6.4 changelog and pull request #1828 for the full set of changes. NetApp customers should consult NetApp Security Advisory ntap-20240621-0006 for product-specific guidance.
Workarounds
- Validate and sanitize all user-supplied input before passing it to async iteration functions, stripping __proto__, constructor, and prototype keys
- Use Object.create(null) for objects derived from untrusted input to avoid inheriting from Object.prototype
- Freeze Object.prototype at process startup with Object.freeze(Object.prototype) where compatible with the application stack
# Configuration example
npm install async@^2.6.4 # for 2.x branch
npm install async@^3.2.2 # for 3.x branch
npm ls async # verify resolved version across the dependency tree
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
