Description

@antfu/utils is a collection of common JavaScript / TypeScript utils. It is vulnerable to Prototype Pollution on the deepMerge() function. This allows for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

About the vulnerability

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

Proof of Concept

// PoC.js
const utils = require('@antfu/utils');
const obj = {};
const payload =  JSON.parse('{"__proto__":{"polluted":"Polluted!"}}');

console.log("Before: " + obj.polluted);
utils.deepMerge(obj, payload);
console.log("After: " + polluted);

Before: undefined
After: Polluted!

Mitigation

It can be fixed by implementing a simple validation to check for prototype keywords (__proto__, constructor and prototype), where if it exists, the function returns the object without modifying it, thus fixing the Prototype Pollution Vulnerability.

Impact

This vulnerability is capable of modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.