CVE-2022-21824 is a prototype pollution vulnerability affecting multiple versions of Node.js, specifically versions 4.0 through 17.0. The vulnerability arises from the implementation of the console.table() function, which formats tabular data for console output. When user-controlled input is passed to the "properties" parameter of console.table() alongside a plain object containing at least one property (including "__proto__"), it can lead to modification of the object's prototype. This is a form of prototype pollution categorized under CWE-471 (Modification of Assumed-Immutable Data). The pollution is limited in scope, allowing only the assignment of empty strings to numerical keys on the object prototype. This limitation reduces the attacker's ability to perform extensive prototype manipulation but still poses a risk because prototype pollution can lead to unexpected behavior in applications, including potential security bypasses or denial of service. Node.js versions starting from 12.22.9, 14.18.3, 16.13.2, and 17.3.1 mitigate this issue by using a null prototype for the objects to which properties are assigned, effectively preventing prototype pollution via this vector. No known exploits have been reported in the wild, and no CVSS score has been assigned. The vulnerability requires that user input be passed to console.table() in a specific manner, which implies some level of user interaction or input control by the attacker. However, no authentication is necessarily required to exploit this if the application exposes console.table() functionality to untrusted input. The scope of affected systems is broad, as Node.js is widely used in server-side JavaScript applications, including web servers, APIs, and development tools. Given the affected versions span many years of Node.js releases, a significant number of applications may still be vulnerable if not updated. The impact primarily concerns integrity and potentially availability, as prototype pollution can cause unexpected application behavior or crashes, but confidentiality impact is limited due to the restricted nature of the pollution.

For European organizations, the impact of CVE-2022-21824 can vary depending on their reliance on vulnerable Node.js versions and the exposure of applications that use console.table() with user-controlled input. Prototype pollution vulnerabilities can lead to application logic errors, security bypasses, or denial of service, potentially disrupting business operations or exposing systems to further exploitation. Organizations running web services, APIs, or internal tools on affected Node.js versions may experience degraded service availability or integrity issues if exploited. Although no known exploits exist in the wild, the widespread use of Node.js in European enterprises, including sectors like finance, healthcare, and government, means that unpatched systems could be targeted in the future. The limited scope of the pollution reduces the risk of severe data breaches but does not eliminate the risk of operational disruption. Additionally, supply chain dependencies on Node.js packages that internally use console.table() could indirectly expose organizations to this vulnerability. Given the critical role of Node.js in modern application stacks, even limited prototype pollution can have cascading effects on application stability and security posture.

1. Immediate upgrade to patched Node.js versions: Organizations should upgrade to Node.js versions 12.22.9, 14.18.3, 16.13.2, 17.3.1, or later, where the vulnerability is mitigated by using null prototypes. 2. Audit codebases for usage of console.table(): Review application code and dependencies to identify any usage of console.table() that passes user-controlled input to the properties parameter, especially when the first argument is a plain object. 3. Implement input validation and sanitization: Ensure that any input passed to console.table() or similar functions is strictly validated and sanitized to prevent injection of prototype keys like "__proto__". 4. Use security-focused static analysis tools: Employ tools capable of detecting prototype pollution patterns in JavaScript code to identify potential vulnerabilities before deployment. 5. Monitor application logs and behavior: Look for anomalies or errors related to object prototype manipulation or unexpected application behavior that could indicate exploitation attempts. 6. Educate developers about prototype pollution risks: Provide training on secure coding practices in JavaScript, emphasizing the dangers of prototype pollution and safe handling of user input. 7. Isolate critical services: Where possible, run Node.js applications with least privilege and isolate critical components to limit the impact of potential exploitation. 8. Review third-party dependencies: Check if any dependencies use vulnerable Node.js versions or call console.table() insecurely and update or patch them accordingly.