CVE-2021-3766 — objection.js Prototype Pollution vulnerability

Description

objection.js prior to version 2.2.16 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). This issue is patched in version 2.2.16.

How to fix CVE-2021-3766

To remediate CVE-2021-3766, upgrade the affected package to a fixed version below.

npm/objection—upgrade to 2.2.16 or later

Is CVE-2021-3766 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3766
PATCHgithub.com/vincit/objection.js
WEBgithub.com/Vincit/objection.js/commit/46b842a6bc897198b83f41ac85c92864b991d7e9
WEBgithub.com/vincit/objection.js/commit/b41aab8dcd78f426f7468dcda541a7aca18a66a6