{"id":"CVE-2021-43138","details":"In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.","aliases":["GHSA-fwr7-v2mv-hh25"],"modified":"2026-04-16T04:40:15.615795999Z","published":"2022-04-06T17:15:08.650Z","related":["SUSE-RU-2024:0511-1","SUSE-SU-2022:3313-1","SUSE-SU-2022:3314-1","SUSE-SU-2022:3761-1","SUSE-SU-2023:2575-1","SUSE-SU-2023:2578-1","SUSE-SU-2023:2579-1","SUSE-SU-2024:0191-1","SUSE-SU-2024:0196-1","SUSE-SU-2024:0486-1","SUSE-SU-2024:0487-1","openSUSE-SU-2024:12723-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/master/lib/internal/iterator.js"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0006/"},{"type":"FIX","url":"https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d"},{"type":"FIX","url":"https://github.com/caolan/async/compare/v2.6.3...v2.6.4"},{"type":"FIX","url":"https://github.com/caolan/async/pull/1828"},{"type":"EVIDENCE","url":"https://jsfiddle.net/oz5twjd9/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/caolan/async","events":[{"introduced":"0"},{"fixed":"c6bdaca4f9175c14fc655d3783c6af6a883e6514"},{"introduced":"72de392b6dffc466419ae7cab419d3b120d2459d"},{"fixed":"acc084e6916a86e02ac5de8dbda0517e33106bf5"},{"fixed":"e1ecdbf79264f9ab488c7799f4c76996d5dca66d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.6.4"},{"introduced":"3.0.0"},{"fixed":"3.2.2"}]}}],"versions":["0.2.10","0.2.6","0.2.7","0.2.8","0.2.9","0.3.0","0.4.0","0.4.1","0.5.0","0.6.0","0.6.1","0.6.2","0.7.0","0.8.0","0.9.0","0.9.1","0.9.2","1.0.0","1.1.0","1.2.0","1.2.1","v0.1.0","v0.1.1","v0.1.15","v0.1.17","v0.1.19","v0.1.2","v0.1.20","v0.1.21","v0.1.22","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v1.2.0","v1.3.0","v1.4.0","v1.4.2","v1.5.0","v1.5.1","v1.5.2","v2.0.0","v2.0.0-alpha.0","v2.0.0-rc.1","v2.0.0-rc.2","v2.0.0-rc.3","v2.0.0-rc.4","v2.0.0-rc.5","v2.0.0-rc.6","v2.0.1","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.2.0","v2.3.0","v2.4.0","v2.4.1","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v3.0.0","v3.0.1","v3.1.0","v3.1.1","v3.2.0","v3.2.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43138.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}