VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-w398-256d-abev

Essentials
Severities (17)
References (9)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-w398-256d-abev
Aliases	CVE-2021-23558 GHSA-4m8h-h59m-m34j
Summary	Prototype Pollution in bmoor
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00678	https://api.first.org/data/v1/epss?cve=CVE-2021-23558
epss	0.00678	https://api.first.org/data/v1/epss?cve=CVE-2021-23558
epss	0.00678	https://api.first.org/data/v1/epss?cve=CVE-2021-23558
epss	0.00678	https://api.first.org/data/v1/epss?cve=CVE-2021-23558
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-4m8h-h59m-m34j
cvssv3.1	7.3	https://github.com/b-heilman/bmoor
generic_textual	HIGH	https://github.com/b-heilman/bmoor
cvssv3.1	7.3	https://github.com/b-heilman/bmoor/commit/29b0162cc1dc1791fc060891f568b0ae29bc542b
generic_textual	HIGH	https://github.com/b-heilman/bmoor/commit/29b0162cc1dc1791fc060891f568b0ae29bc542b
cvssv3.1	7.3	https://nvd.nist.gov/vuln/detail/CVE-2021-23558
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2021-23558
cvssv3.1	7.3	https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664
generic_textual	HIGH	https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664
cvssv3.1	7.3	https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation
generic_textual	HIGH	https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation
cvssv3.1	7.3	https://snyk.io/vuln/SNYK-JS-BMOOR-2342622
generic_textual	HIGH	https://snyk.io/vuln/SNYK-JS-BMOOR-2342622

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-23558
		https://github.com/b-heilman/bmoor
		https://github.com/b-heilman/bmoor/commit/29b0162cc1dc1791fc060891f568b0ae29bc542b
		https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664
		https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation
		https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/
		https://snyk.io/vuln/SNYK-JS-BMOOR-2342622
CVE-2021-23558		https://nvd.nist.gov/vuln/detail/CVE-2021-23558
GHSA-4m8h-h59m-m34j		https://github.com/advisories/GHSA-4m8h-h59m-m34j

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/b-heilman/bmoor

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/b-heilman/bmoor/commit/29b0162cc1dc1791fc060891f568b0ae29bc542b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23558

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://security.snyk.io/vuln/SNYK-JS-BMOOR-598664

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://snyk.io/vuln/SNYK-JS-BMOOR-2342622

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.72014
EPSS Score	0.00678
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T20:27:43.042239+00:00	GHSA Importer	Import	https://github.com/advisories/GHSA-4m8h-h59m-m34j	38.6.0