CVE-2021-21368 in msgpack5
Summary
by MITRE • 03/13/2021
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value. An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types. There is no effect on the global prototype. This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced GitHub Security Advisory for an example and more details.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2021
The vulnerability identified as CVE-2021-21368 represents a prototype poisoning issue within the msgpack5 library, a popular MessagePack implementation for node.js and browser environments. This vulnerability specifically affects versions prior to 3.6.1, 4.5.1, and 5.2.1, where the library fails to properly handle map keys named "_proto_" during decoding operations. The flaw stems from the library's treatment of this particular key, which is reserved in javascript environments for prototype manipulation, creating a security risk that can be exploited by malicious actors who control input data.
The technical mechanism of this vulnerability involves msgpack5's handling of the "_proto_" key during map decoding processes. When the library encounters a map containing a key "_proto_", it assigns the corresponding decoded value directly to the object's prototype property through the Object.prototype._proto_ accessor. This accessor property allows manipulation of an object's prototype chain, which is typically an internal mechanism for inheritance in javascript. The vulnerability becomes particularly dangerous when the value associated with "_proto_" decodes to an object or null, as this directly sets the prototype of the decoded object to that value. This behavior creates a scenario where attacker-controlled data can influence the prototype chain of objects being created by the library.
The operational impact of this prototype poisoning vulnerability extends beyond simple data corruption, as it can lead to unexpected behavior and potential execution of unintended code patterns. When the _proto_ value decodes to array-like objects, the resulting objects inherit array properties such as length, numeric properties, and methods like push, which can cause unexpected behavior in applications that don't properly validate input data. Additionally, when the _proto_ value decodes to specialized objects like Map or Date, it can trigger unexpected exceptions during normal object usage. This vulnerability can affect any application that uses msgpack5 to decode user-controlled or untrusted MessagePack data, potentially leading to denial of service conditions, data corruption, or other unpredictable behaviors that may be leveraged in more sophisticated attack scenarios.
The security implications of this vulnerability align with common weakness enumerations such as CWE-1321, which describes prototype pollution vulnerabilities in javascript environments, and can be categorized under ATT&CK technique T1190 for exploitation of vulnerabilities in software libraries. The vulnerability's limited scope prevents it from achieving true prototype pollution at the global level, as only the specific decoded object's prototype is affected rather than the global Object.prototype. However, the impact remains significant for applications that do not properly sanitize or validate input data before processing with msgpack5. The fix implemented in versions 3.6.1, 4.5.1, and 5.2.1 addresses this by ensuring proper handling of the "_proto_" key, preventing its use as a means to manipulate object prototypes during decoding operations. Organizations using msgpack5 should upgrade to these patched versions immediately and consider implementing additional input validation measures to further mitigate potential risks from similar vulnerabilities in other libraries or custom code implementations.