CVE-2018-3728
Prototype Pollution vulnerability in hoek (npm)
What is CVE-2018-3728 About?
This vulnerability is a Prototype Pollution flaw in `hoek` versions prior to 4.2.1 and 5.0.3. It allows attackers to modify or add properties to the Object prototype by providing a crafted JSON payload, which can lead to various integrity or availability issues across the application. Exploitation is relatively straightforward if user-controlled input is processed by vulnerable functions.
Affected Software
- hoek
- >5.0.0, <5.0.3
- <4.2.1
Technical Details
The merge, applyToDefaults, and applyToDefaultsWithShallow functions in affected versions of the hoek library are vulnerable to prototype pollution. These functions, when processing an unvalidated JSON string containing the __proto__ property, will recursively merge properties into the target object. An attacker can craft a JSON payload like {"__proto__":{"oops":"It works !"}}. When Hoek.merge({}, JSON.parse(malicious_payload)) is executed, the oops property is added directly to Object.prototype. This means any newly created object will inherit this injected property, which can be leveraged to overwrite existing properties or inject malicious code for various adverse effects, including a potential denial of service or execution control.
What is the Impact of CVE-2018-3728?
Successful exploitation may allow attackers to corrupt application data, bypass security controls, or cause a denial of service due to unexpected object behavior.
What is the Exploitability of CVE-2018-3728?
Exploitation requires the attacker to submit a specially crafted JSON payload that is then parsed and processed by the merge or related functions in hoek. The complexity is low, as it primarily involves embedding __proto__ into the JSON structure. Authentication requirements depend on the application's architecture and if the vulnerable input endpoint is protected. No specific privileges are needed beyond the ability to send the malicious payload. This is typically a remote vulnerability, but could also apply locally if untrusted files are processed. The likelihood of exploitation is heightened for applications that directly parse and merge untrusted user-supplied JSON data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3728?
About the Fix from Resolved Security
This patch prevents merging of the special proto property by skipping keys with the name 'proto' during object merging. This fixes CVE-2018-3728 by protecting applications from prototype pollution attacks, where an attacker could manipulate Object.prototype and introduce or overwrite properties on all objects.
Available Upgrade Options
- hoek
- <4.2.1 → Upgrade to 4.2.1
- hoek
- >5.0.0, <5.0.3 → Upgrade to 5.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hapijs/hoek/commit/5aed1a8c4a3d55722d1c799f2368857bf418d6df
- https://github.com/hapijs/hoek
- https://hackerone.com/reports/310439
- https://hackerone.com/reports/310439
- https://access.redhat.com/errata/RHSA-2018:1263
- https://osv.dev/vulnerability/GHSA-jp4x-w63m-7wgm
- https://nodesecurity.io/advisories/566
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
What are Similar Vulnerabilities to CVE-2018-3728?
Similar Vulnerabilities: CVE-2018-16469 , CVE-2018-16492 , CVE-2019-11358 , CVE-2019-10744 , CVE-2020-28282
