QwikSec

Security Database

CVE

CWE

Training

CVE-2022-21824

Published: Feb 24, 2022

Modified: Apr 30, 2025

PUBLISHED

Description

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +9 more versions

Weaknesses (CWE)

References

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

https://hackerone.com/reports/1431042

https://www.oracle.com/security-alerts/cpuapr2022.html

https://security.netapp.com/advisory/ntap-20220325-0007/

vendor-advisory

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.netapp.com/advisory/ntap-20220729-0004/

[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2022-21824 - Security Vulnerability | QwikSec