By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2021-23450

Prototype Pollution
Affects
Dojo
in
Dojo
No items found.
Versions
<1.11.13, >=1.12.0 <1.12.11, >=1.13.0 <1.13.10, >=1.14.0 <1.14.9, >=1.15.0 <1.15.6, >=1.16.0 <1.16.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Dojo is a comprehensive JavaScript framework that provides modular tools for DOM manipulation, event handling, AJAX, internationalization, and object-oriented programming utilities for building web applications.

A high-severity Prototype Pollution vulnerability (CVE-2021-23450) has been identified in Dojo, which allows a malicious actor to modify an object's prototype, potentially leading to unexpected behavior or security issues.

Per OWASP: Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution.

Details

Module Info

  • Product: Dojo
  • Affected packages: dojo
  • Affected versions:
    <1.11.13,
    >=1.12.0 <1.12.11,
    >=1.13.0 <1.13.10,
    >=1.14.0 <1.14.9,
    >=1.15.0 <1.15.6,
    >=1.16.0 <1.16.5
  • GitHub repository: https://github.com/dojo/dojo
  • Published packages: https://www.npmjs.com/package/dojo
  • Package manager: npm
  • Fixed in: NES for Dojo v1.7.5, OSS v1.11.13, OSS v1.12.11, OSS v1.13.10, OSS v1.14.9, OSS v1.15.6, OSS v1.16.5

Vulnerability Info

This high-severity vulnerability is found in many versions of Dojo less than 1.16.5. See the affected versions above for specific details.

The vulnerability exists in the dojo.setObject and dojo.getObject functions. When user-controlled property paths containing _​_proto_​_ or constructor are processed, attackers can pollute Object.prototype, leading to application-wide property injection that affects all JavaScript objects.

- The getProp helper function in dojo/_base/lang.js traverses dot-separated property paths without validating property names, allowing access to special properties _​_proto_​_ and constructor.

- Attackers can inject malicious properties into Object.prototype by calling dojo.setObject("_​_proto_​_.injected", "value") or  dojo.setObject("constructor.prototype.injected", "value"). These polluted properties then appear on all objects in the application, enabling privilege escalation, authentication bypass, or denial of service attacks depending on how the application uses object properties.

Mitigation

Dojo version 1.7.x is End-of-Life and will not receive any updates to address this issue. For more information see the Dojo website announcement.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of Dojo.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2018-15494
CVE-2020-5259
CVE-2021-23450
CVE-2018-6561
CVE-2019-10785
CVE-2020-4051
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2021-23450
PROJECT Affected
Dojo
Versions Affected
<1.11.13, >=1.12.0 <1.12.11, >=1.13.0 <1.13.10, >=1.14.0 <1.14.9, >=1.15.0 <1.15.6, >=1.16.0 <1.16.5
Published date
December 3, 2025
≈ Fix date
November 26, 2025
Fixed in
NES for Dojo
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Prototype Pollution
Sign up for the latest vulnerability alerts fixed in
NES for Dojo
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.