CVE-2022-21824 Overview
CVE-2022-21824 is a prototype pollution vulnerability affecting Node.js through its console.table() function. The vulnerability exists due to improper handling of user-controlled input passed to the "properties" parameter when a plain object with at least one property (such as __proto__) is simultaneously passed as the first parameter. This flaw enables attackers to pollute the Object prototype, potentially leading to denial of service conditions or integrity violations in affected applications.
Critical Impact
Prototype pollution vulnerability in Node.js console.table() allows attackers to modify Object prototype properties, potentially causing application crashes or unexpected behavior across all objects in the JavaScript runtime.
Affected Products
- Node.js versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1
- Oracle MySQL Cluster, MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench
- Oracle PeopleSoft Enterprise PeopleTools 8.58 and 8.59
- Debian Linux 10.0 and 11.0
- NetApp OnCommand Insight, OnCommand Workflow Automation, SnapCenter
Discovery Timeline
- 2022-02-24 - CVE CVE-2022-21824 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21824
Vulnerability Analysis
This prototype pollution vulnerability (CWE-1321, CWE-471) occurs in the console.table() function's formatting logic. When processing tabular data, the function fails to properly sanitize the properties parameter, allowing malicious input to modify the Object prototype. The attack has limited scope in that it can only assign empty strings to numerical keys of the object prototype, but this limitation still enables denial of service scenarios and potential integrity issues.
The vulnerability is exploitable over the network without requiring authentication or user interaction. While the impact on confidentiality is negligible, the vulnerability poses significant risks to system availability and data integrity, as polluted prototypes can cause unexpected behavior across all JavaScript objects in the runtime environment.
Root Cause
The root cause lies in Node.js's console.table() implementation, which did not use a null prototype object when assigning properties from user-controlled input. When the first parameter is a plain object containing a property like __proto__, and user input is passed to the properties parameter, the function inadvertently modifies the global Object prototype. The fix implemented in patched versions uses Object.create(null) to create objects with a null prototype, preventing prototype chain pollution.
Attack Vector
An attacker can exploit this vulnerability by passing specially crafted input to an application that uses console.table() with user-controlled data. The attack requires:
- A Node.js application that passes user input to console.table()'s properties parameter
- A plain object with at least one property passed as the first argument
- Crafted input targeting the __proto__ property to pollute the Object prototype
The vulnerability is network-exploitable, allowing remote attackers to trigger prototype pollution in web applications, API servers, or any Node.js service processing untrusted input through the affected function.
Detection Methods for CVE-2022-21824
Indicators of Compromise
- Unexpected empty string values appearing in Object prototype properties
- Application crashes or unexpected behavior in JavaScript object operations
- Anomalous input patterns containing __proto__ or prototype-related strings in application logs
- Unusual console.table() calls with external or user-controlled data
Detection Strategies
- Monitor application logs for suspicious input containing __proto__, constructor, or prototype strings
- Implement runtime monitoring to detect unexpected modifications to Object.prototype
- Deploy Static Application Security Testing (SAST) tools to identify unsafe usage of console.table() with user input
- Review code for patterns where external data flows into console.table() parameters
Monitoring Recommendations
- Enable detailed Node.js process logging to capture unusual prototype access patterns
- Implement application-level monitoring for property pollution attempts
- Configure web application firewalls to detect and block prototype pollution payloads
- Set up alerts for application errors related to Object prototype modifications
How to Mitigate CVE-2022-21824
Immediate Actions Required
- Upgrade Node.js to patched versions: 12.22.9+, 14.18.3+, 16.13.2+, or 17.3.1+
- Audit application code for usage of console.table() with user-controlled input
- Implement input validation to sanitize or reject prototype-related property names
- Apply vendor patches for affected Oracle and NetApp products
Patch Information
Node.js has released security patches that address this vulnerability by using a null prototype for the object when assigning properties in console.table(). The fix is available in the following versions:
- Node.js 12.x: Upgrade to version 12.22.9 or later
- Node.js 14.x: Upgrade to version 14.18.3 or later
- Node.js 16.x: Upgrade to version 16.13.2 or later
- Node.js 17.x: Upgrade to version 17.3.1 or later
For detailed patch information, refer to the Node.js Security Release Blog and the HackerOne Report #1431042. Oracle users should consult the Oracle Critical Patch Update April 2022 for affected MySQL and PeopleSoft products.
Workarounds
- Avoid passing user-controlled data to console.table() properties parameter
- Implement a wrapper function that sanitizes input before passing to console.table()
- Use Object.freeze(Object.prototype) to prevent prototype modifications (may cause compatibility issues)
- Deploy input validation middleware to filter prototype pollution payloads at the application boundary
# Verify Node.js version and upgrade if vulnerable
node --version
# If version is below the patched versions, upgrade using your package manager
# For nvm users:
nvm install 16.13.2
nvm use 16.13.2
# For system installations (Debian/Ubuntu):
sudo apt update && sudo apt install nodejs
# Verify the upgrade
node --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
