CVE-2021-43138 Overview
CVE-2021-43138 is a prototype pollution vulnerability affecting the widely-used Async JavaScript library. In versions prior to 2.6.4 and 3.x versions before 3.2.2, a malicious user can obtain elevated privileges by exploiting the mapValues() method through the createObjectIterator function in lib/internal/iterator.js. This prototype pollution attack allows adversaries to inject properties into JavaScript Object prototypes, potentially leading to arbitrary code execution, denial of service, or security bypass in applications using the vulnerable library.
Critical Impact
Successful exploitation allows attackers to pollute JavaScript Object prototypes via the mapValues() method, enabling privilege escalation in Node.js applications that depend on the Async library.
Affected Products
- Async library versions prior to 2.6.4
- Async library 3.x versions prior to 3.2.2
- Fedora Linux 36 and 37 (bundled Async packages)
Discovery Timeline
- 2022-04-06 - CVE-2021-43138 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43138
Vulnerability Analysis
This vulnerability represents a classic prototype pollution attack vector in JavaScript. The Async library's mapValues() function iterates over object properties using the createObjectIterator function located in lib/internal/iterator.js. The vulnerable implementation fails to properly sanitize object keys during iteration, allowing an attacker to inject malicious properties such as __proto__, constructor, or prototype into the base Object prototype.
When a JavaScript application processes user-controlled input through the affected mapValues() method without adequate validation, an attacker can craft a malicious payload that pollutes the Object prototype. Once polluted, these injected properties are inherited by all JavaScript objects in the application, potentially allowing attackers to:
- Override security-critical properties and bypass authentication mechanisms
- Execute arbitrary JavaScript code through polluted function references
- Cause denial of service by corrupting application state
- Escalate privileges within the application context
The vulnerability requires user interaction in the form of processing attacker-controlled data, making it a local attack vector that typically manifests in server-side Node.js applications or client-side JavaScript environments.
Root Cause
The root cause lies in the createObjectIterator function within lib/internal/iterator.js, which does not properly validate or filter object keys during the iteration process. When the mapValues() method processes an object containing specially crafted keys (such as __proto__), these keys are not sanitized, allowing direct modification of the Object prototype chain. The lack of prototype chain traversal protection enables pollution attacks through inherited property manipulation.
Attack Vector
The attack is executed locally and requires user interaction—specifically, the target application must process attacker-controlled data through the vulnerable mapValues() method. An attacker can supply a malicious object containing prototype pollution payloads as input to any application function that ultimately calls mapValues() on the data. The attack complexity is low as no special privileges are required to craft the malicious payload; however, exploitation success depends on how the target application handles the polluted prototypes.
The vulnerability is documented in the GitHub Pull Request that addresses the issue. A proof-of-concept demonstration is available via the JSFiddle Code Snippet referenced in the security advisories.
Detection Methods for CVE-2021-43138
Indicators of Compromise
- Unexpected properties appearing on base JavaScript objects (e.g., Object.prototype containing non-standard properties)
- Application behavior anomalies such as authentication bypasses or unexpected privilege grants
- Crash logs or errors indicating corrupted object state or undefined function calls on prototype-polluted objects
- Network traffic containing JSON payloads with __proto__, constructor.prototype, or similar prototype pollution patterns
Detection Strategies
- Implement runtime monitoring for modifications to Object.prototype using Object.freeze() or proxy-based detection mechanisms
- Deploy Software Composition Analysis (SCA) tools to identify vulnerable Async library versions in application dependencies
- Configure Web Application Firewalls (WAF) to detect and block requests containing prototype pollution indicators in JSON payloads
- Use static analysis tools to identify code paths that pass untrusted input to mapValues() or similar iteration functions
Monitoring Recommendations
- Monitor application logs for unexpected property access patterns on JavaScript objects
- Implement Content Security Policy (CSP) reporting to detect client-side prototype pollution exploitation attempts
- Track dependency versions across all Node.js applications and alert on known vulnerable Async versions
- Enable SentinelOne's Application Vulnerability Detection to identify exploitable library dependencies in runtime environments
How to Mitigate CVE-2021-43138
Immediate Actions Required
- Update the Async library to version 2.6.4 or later for the 2.x branch
- Update the Async library to version 3.2.2 or later for the 3.x branch
- Audit all applications using Async to identify affected deployments
- Implement input validation to reject objects containing prototype pollution keys before processing
Patch Information
The vulnerability has been addressed by the Async project maintainers. The fix is available in versions 2.6.4 and 3.2.2. The patch modifies the createObjectIterator function to properly handle object keys and prevent prototype pollution attacks. Detailed patch information is available through the following resources:
- GitHub Async Commit e1ecdbf - The security fix commit
- GitHub Async Version Compare - Changes between vulnerable and patched versions
- GitHub Async Changelog v2.6.4 - Official changelog documenting the security fix
Fedora users should apply updates as documented in the Fedora Package Announcements. NetApp customers should consult the NetApp Security Advisory ntap-20240621-0006 for product-specific guidance.
Workarounds
- Implement a custom input sanitization layer that removes or rejects prototype pollution keys (__proto__, constructor, prototype) before data reaches application code
- Freeze the Object prototype using Object.freeze(Object.prototype) at application startup to prevent pollution (note: may impact legitimate prototype extensions)
- Use Object.create(null) for objects that will contain untrusted keys to prevent prototype chain access
- Wrap calls to mapValues() with validation logic that explicitly checks for safe key names
# Configuration example
# Update Async library in Node.js projects using npm
npm update async@2.6.4
# Or for 3.x branch
npm update async@3.2.2
# Verify installed version
npm list async
# For yarn users
yarn upgrade async@2.6.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
