8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.004 Low
EPSS
Percentile
69.4%
Summary:
Attacker control of the second properties
parameter of console.table
may lead to prototype pollution.
Description:
Due to the formatting logic of the console.table
function it is not safe to allow user controlled input to be passed to the properties
parameter while simultaneously passing a plain object with at least one property as the first parameter.
The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.
The vulnerability can be reproduced in the Node.js REPL, tested with version v16.7.0
:
console.table({foo: 'bar'}, ['__proto__'])
Object.prototype[0] === ''
The pollution will vary depending on the number of properties on the object passed as the first parameter, with each additional property assigning another incrementing index of the object prototype. This means that if the first parameter is also controlled by the attacker, it is possible to assign empty strings from 0..n
to the object prototype, for any n
:
> console.table({a: 1, b: 1, c: 1}, ['__proto__'])
Uncaught TypeError: Cannot create property '0' on string ''
> Object.prototype
[Object: null prototype] { '0': '', '1': '', '2': '' }
The vulnerable assignment can be found here in the Node.js console.table
implementation.
A suggested remediation is to ignore properties
named '__proto__'
, or to use a different data structure to store the computed table fields. For example:
const keys = properties || ObjectKeys(item);
for (const key of keys) {
+ if (key === '__proto__') {
+ continue
+ }
if (map[key] === undefined)
map[key] = [];
Users of console.table
have no reason to expect the danger of passing on user input to the second properties
array, and may therefore do so without sanitation. In the even that for example a web server is exposed to this vulnerability, it is likely to be a very effective denial of service attack. In extremely rare cases the prototype pollution can lead to more severe attack vectors such as bypassing authorization mechanisms, although due to limited control of the pollution this is unlikely.
Users of console.table
have no reason to expect the danger of passing on user input to the second properties
array, and may therefore do so without sanitation. In the even that for example a web server is exposed to this vulnerability, it is likely to be a very effective denial of service attack. In extremely rare cases the prototype pollution can lead to more severe attack vectors such as bypassing authorization mechanisms, although due to limited control of the pollution this is unlikely.
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.004 Low
EPSS
Percentile
69.4%