Disclosed
CVE-2021-43138
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Exploitation Probability (EPSS)
Low Priority0.68%
The Exploit Prediction Scoring System (EPSS) uses machine learning to estimate the probability that a vulnerability will be exploited in the wild within the next 30 days.
0% (Theoretical)100% (Certainty)
7-Day Exploitation Trend
Vulnerability Timeline
2 eventsApr 6, 2022
Vulnerability Disclosed
Published to component-level vulnerability database.
Jun 21, 2024
Last Updated
Record updated with new analysis or tags.
Threat Actor Attribution
PREMIUM INTELAssociated Groups:Lazarus Group, APT28
Ransomware Campaigns:LockBit 3.0, BlackCat
IoCs (Indicators):14 IPs, 3 Hashes
Remediation & Mitigation
SOLUTIONOfficial patches and mitigation steps are available for this vulnerability.
# Update Command
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name
Affected Products
3 Total
async_project/asyncAll Versions
fedoraproject/fedora36
fedoraproject/fedora37
References
https://github.com/caolan/async/blob/master/lib/internal/iterator.jsGitHub
Third Party Advisory
https://github.com/caolan/async/blob/master/lib/mapValuesLimit.jsGitHub
Third Party Advisory
https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264GitHub
Release NotesThird Party Advisory
https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66dGitHub
PatchThird Party Advisory
Am I Vulnerable?
Check your domain or package.json for CVE-2021-43138 exposure.
Vulnerability Details
CVSS Base Score
7.8/ 10
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published Date
Apr 6, 2022
Last Modified
Jun 21, 2024
Need Manual Validation?
Automated scanners flag false positives. Get a manual pentest validation for this CVE.