{"id":"CVE-2021-43138","details":"In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.","aliases":["GHSA-fwr7-v2mv-hh25"],"modified":"2026-03-10T23:50:18.173780Z","published":"2022-04-06T17:15:08.650Z","related":["MGASA-2025-0194","SUSE-RU-2024:0511-1","SUSE-SU-2022:3313-1","SUSE-SU-2022:3314-1","SUSE-SU-2022:3761-1","SUSE-SU-2023:2575-1","SUSE-SU-2023:2578-1","SUSE-SU-2023:2579-1","SUSE-SU-2024:0191-1","SUSE-SU-2024:0196-1","SUSE-SU-2024:0486-1","SUSE-SU-2024:0487-1","openSUSE-SU-2024:12723-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"},{"type":"WEB"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0006/"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/master/lib/internal/iterator.js"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js"},{"type":"ADVISORY","url":"https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264"},{"type":"FIX","url":"https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d"},{"type":"FIX","url":"https://github.com/caolan/async/compare/v2.6.3...v2.6.4"},{"type":"FIX","url":"https://github.com/caolan/async/pull/1828"},{"type":"EVIDENCE","url":"https://jsfiddle.net/oz5twjd9/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/caolan/async","events":[{"introduced":"0"},{"fixed":"c6bdaca4f9175c14fc655d3783c6af6a883e6514"},{"introduced":"72de392b6dffc466419ae7cab419d3b120d2459d"},{"fixed":"acc084e6916a86e02ac5de8dbda0517e33106bf5"},{"fixed":"e1ecdbf79264f9ab488c7799f4c76996d5dca66d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.6.4"},{"introduced":"3.0.0"},{"fixed":"3.2.2"}]}}],"versions":["v3.0.0","v3.0.1","v3.1.0","v3.1.1","v3.2.0","v3.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43138.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}