Skip to content

Instantly share code, notes, and snippets.

View tariqhawis's full-sized avatar
🎯
Focusing

Tariq Hawis tariqhawis

🎯
Focusing
6 followers · 3 following
View GitHub Profile
@tariqhawis
tariqhawis / CVE-2024-29651.md
Last active April 2, 2024 14:43
(CVE-2024-29651) Prototype Pollution vulnerability affecting @apidevtools/json-schema-ref-parser, versions 11.0.0, 11.1.0

Overview

json-schema-ref-parser is an NPM package for Parse, Resolve, and Dereference JSON Schema $ref pointers.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to this function.

Details:

The vulnerable functions: bundle(), parse(), resolve(), dereference() passes the argument options to an unsafe merge method, which recursively copy properties from one object to another. Such a function has the potential to modify any object reachable from the destination object, and the built-in Object.prototype is usually reachable through the special properties __proto__ and constructor.prototype.

@tariqhawis
tariqhawis / thi.ng-paths.md
Last active March 23, 2024 15:26
Prototype Pollution vulnerability affecting @thi.ng/paths module, versions <=5.1.62

Overview

Affected versions of this package (<=5.1.62) are vulnerable to prototype pollution via mutIn and mutInManyUnsafe An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

In the PoC code below, paths.mutIn invoked with a polluted __proto__ property, this property passed as an argument from mutIn() in mut-in.js to defMutator() in mutator.js and then assigned to the destination as follows:

        return s ? (t = s[a]) ? (t[b] = x, s) : void 0 : void 0;
@tariqhawis
tariqhawis / aliconnect-sdk.md
Last active March 22, 2024 19:47
Prototype Pollution Affecting @aliconnect/sdk package

Affected versions of this package are vulnerable to Prototype Pollution via the sdk function due to missing check if the attribute resolves to the object prototype.

To exploit vulnerability, someone may inject a malicious object from a user controllable input to aim function in aim.js. The input resolves to the object prototype thus modify the behavior of the program.

Poc:

var sdk = require("@aliconnect/sdk")
BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
@tariqhawis
tariqhawis / keybase.md
Created December 14, 2020 14:27

Keybase proof

I hereby claim:

  • I am tariqhawis on github.
  • I am tariqhawis (https://keybase.io/tariqhawis) on keybase.
  • I have a public key whose fingerprint is CBF9 4F73 C829 2458 F071 704D 2781 6E61 A18F AF65

To claim this, I am signing this object: