Versions of @blackprint/engine from 0.8.12 to 0.9.1 are vulnerable to prototype pollution. The function setDeepProperty recursively assign the source property to the destination with out proper validation which can be exploited by an attacker by modifying the prototype of Object using a payload like: [["__proto__"], "..."]
(async () => {
const lib = await import('@blackprint/engine');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
@bunt/util/dist/esm/qs.js:12
All versions of this module are vulnerable to Prototype Pollution via updateState. The user's supplied value find its path to the vulnerable function updateStateInternal recursively copy all child properties in the source "user's supplied value" to the destination without proper security validation.
An attacker can exploit this vulnerability by manipulate the prototype of Object by modify built-in Object.prototype through reachable special properties __proto__ or constructor.prototype. Potentially leading to the alteration of behavior of all objects and consequently, the attacker escalate the attack to denial of service, remote code execution or privilege escalation.
updateStateInternal (nora-firebase-common/build/update-state.js:54)
Module.updateState (nora-firebase-common/build/update-state.js:6)
A prototype pollution affecting the module: depath (another alias name: cool-path). An attacker could potentially take advantage of a vulnerability to manipulate the behavior of the vulnerable application by abusing built-in Object properties such as __proto__.
The vulnerability located at setIn (lib/index.js:90). where set() method
used to unsafely assign source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
Affected versions of this module allow an attacker to manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
@cdr0/sg/ref.js:89
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
@byondreal/accessor/index.js:31
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
update/index.js:42
Affected versions of this package are vulnerable to Prototype Pollution due to recursive assignment of properties from source to destination, an attacker can exploit this by injecting __proto__ as a key at the source which cause pollution to the global prototype, this can be escalated to Denial of service, remote code execution or cross-site scripting attacks based on the implementation of the package.
json-override/json-override.js:18
All versions of this package are vulnerable to Prototype Pollution due to reliance on vulnerable merge methods of lodash to merge objects. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@75lb/deep-merge');
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
@abw/badger-database/dist/badger-database.esm.js:1