CVE-2022-21189 in dexie
Summary
by MITRE • 05/01/2022
The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/04/2022
The vulnerability identified as CVE-2022-21189 affects the Dexie JavaScript database library version 3.2.1 and earlier, as well as versions 4.0.0-alpha.1 through 4.0.0-alpha.2. This represents a critical prototype pollution vulnerability that stems from insufficient input validation within the Dexie.setByKeyPath function. The flaw specifically manifests when the library processes key paths that contain potentially malicious property names such as _proto_ or constructor, allowing attackers to manipulate the Object.prototype directly through seemingly benign database operations. The vulnerability operates under CWE-471 which classifies it as a modification of a critical system resource, specifically the prototype chain that forms the foundation of JavaScript object-oriented programming. This issue falls squarely within the ATT&CK framework under T1059.007 for Scripting and T1550.001 for Use of Privileged Accounts, as it enables attackers to modify core JavaScript objects that govern program behavior. The vulnerability is particularly dangerous because it can be exploited through untrusted user input that flows through database collection modifications, making it highly relevant to applications that handle user-supplied data in their database operations. The attack surface extends to any application using Dexie versions prior to 3.2.2 or the affected alpha versions, where user data is processed through the setByKeyPath function.
The technical exploitation of this vulnerability occurs when the Dexie.setByKeyPath function processes key paths without proper validation of the property names being set. When an attacker provides a key path containing special properties like _proto_ or constructor, the function fails to reject these potentially dangerous inputs, allowing them to modify the prototype chain directly. This occurs because JavaScript's prototype mechanism allows modification of Object.prototype, which affects all objects in the application. The vulnerability specifically affects the function's ability to distinguish between legitimate property names and malicious prototype manipulation attempts, creating a pathway for attackers to inject code or modify core JavaScript behavior. The flaw is particularly insidious because it operates at a low level within the JavaScript runtime, making detection difficult and exploitation straightforward. The vulnerability can be triggered through various attack vectors including database operations that accept user input, such as collection modifications or update operations that process key paths. The prototype pollution can lead to various downstream effects including code execution, denial of service, or data corruption, depending on how the polluted prototype properties are subsequently used within the application.
The operational impact of CVE-2022-21189 extends beyond simple data corruption or manipulation, as it fundamentally compromises the integrity of JavaScript applications that rely on Dexie for database operations. Applications using vulnerable versions may experience complete system compromise when attackers exploit this vulnerability through user input fields that feed into database operations. The vulnerability can enable attackers to perform privilege escalation attacks, modify core application behavior, or inject malicious code that executes in the context of the victim's browser session. The risk is particularly severe in applications that process user-generated content or allow untrusted input in database operations, as these represent the most common attack vectors for prototype pollution exploits. Organizations running applications with vulnerable Dexie versions face significant risk of data breaches, service disruption, and potential regulatory compliance violations. The vulnerability's impact is amplified by its ability to affect the entire prototype chain, meaning that a single malicious input can compromise the behavior of all objects in the application's runtime environment. Additionally, the vulnerability's stealth nature makes it difficult to detect through traditional security monitoring approaches, as it operates within legitimate database operations that appear normal to security systems.
Mitigation strategies for CVE-2022-21189 should focus on immediate version upgrades to Dexie 3.2.2 or 4.0.0-alpha.3 and later, which contain the necessary patches to address the prototype pollution vulnerability. Organizations should implement comprehensive input validation at all levels of their applications, particularly for data flowing into database operations that utilize the setByKeyPath function. Security teams should conduct thorough code reviews to identify all instances where Dexie database operations process untrusted input, ensuring that such operations are properly sanitized or validated before execution. The implementation of Content Security Policy headers and other web application security measures can provide additional defense-in-depth against exploitation attempts. Organizations should also consider implementing runtime monitoring solutions that can detect anomalous prototype modifications or suspicious database operations. Regular security assessments and penetration testing should be conducted to verify that the patched versions are properly implemented and that no other prototype pollution vulnerabilities exist in the application stack. The vulnerability's classification under CWE-471 and its mapping to ATT&CK techniques T1059.007 and T1550.001 emphasize the need for both defensive measures and proactive monitoring to ensure complete protection against exploitation attempts.