CVE-2021-21368
CVE-2021-21368 is a medium-severity vulnerability in Msgpack5 Project Msgpack5 with a CVSS 3.x base score of 6.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1321.
Key facts
- Severity: Medium (CVSS 3.x base score 6.7)
- CVSS v2: 6.5
- EPSS exploit prediction: 2% (74th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-1321
- Affected product: Msgpack5 Project Msgpack5
- Published:
- Last modified:
Description
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value. An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types. There is no effect on the global prototype. This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced GitHub Security Advisory for an example and more details.
Frequently asked questions
- What is CVE-2021-21368?
- msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value. An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types. There is no effect on the global prototype. This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced GitHub Security Advisory for an example and more details.
- How severe is CVE-2021-21368?
- CVE-2021-21368 has a CVSS 3.x base score of 6.7, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity high, and availability high.
- Is CVE-2021-21368 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (74th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-21368?
- CVE-2021-21368 affects Msgpack5 Project Msgpack5. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-21368?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-21368 published?
- CVE-2021-21368 was published on 2021-03-12 and last updated on 2026-06-17.
References
- https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8
- https://github.com/mcollina/msgpack5/releases/tag/v3.6.1
- https://github.com/mcollina/msgpack5/releases/tag/v4.5.1
- https://github.com/mcollina/msgpack5/releases/tag/v5.2.1
- https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm
- https://www.npmjs.com/package/msgpack5
Affected products (1)
- cpe:2.3:a:msgpack5_project:msgpack5:*:*:*:*:*:node.js:*:*
Other CWE-1321 (Prototype Pollution) vulnerabilities
- CVE-2026-25142 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__…
- CVE-2024-39008 — Critical (CVSS 10.0): robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This…
- CVE-2024-38999 — Critical (CVSS 10.0): jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This…
- CVE-2022-29823 — Critical (CVSS 10.0): Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object.…
- CVE-2022-24760 — Critical (CVSS 10.0): Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution…
- CVE-2020-12079 — Critical (CVSS 10.0): Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron…