CVE-2021-21304

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-21304

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21304.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-21304

Aliases

GHSA-rrqm-p222-8ph2

Related

GHSA-rrqm-p222-8ph2

Published

2021-02-08T18:15:13.537Z

Modified

2026-04-02T06:46:45.072307Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability.

References

Affected packages

Git / github.com/dynamoose/dynamoose

Affected ranges

Type

GIT

Repo

https://github.com/dynamoose/dynamoose

Events

Introduced

147b90f20b08de33c1694928424fe67cb1e7ba81

Fixed

e2ec6eaf726cce741da101883617bbfd2c21dd98

Fixed

324c62b4709204955931a187362f8999805b1d8e

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.7.0"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.1

v2.3.0

v2.3.0-beta.1

v2.4.0

v2.4.1

v2.5.0

v2.6.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21304.json"