CVE-2018-3751
Prototype Pollution vulnerability in merge-recursive (npm)
What is CVE-2018-3751 About?
This vulnerability in `merge-recursive` allows for Prototype Pollution, where merging malicious user input with another object can modify the prototype of `Object`. This enables attackers to inject or alter properties, leading to various impacts including denial of service or remote code execution in certain contexts. Exploitation is straightforward, requiring the ability to supply a specific JSON payload for merging.
Affected Software
Technical Details
The merge-recursive library is vulnerable to Prototype Pollution. When the function merge({}, JSON.parse(malicious_payload)) is called with a payload like {"__proto__":{"oops":"It works !"}}, it recursively merges the properties. Since the JavaScript prototype chain allows objects to inherit properties from Object.prototype, modifying __proto__ on any object effectively modifies Object.prototype globally. This means any subsequent object created or accessed will inherit the injected 'oops' property, allowing an attacker to control or inject properties into fundamental object structures across the application. This can lead to unexpected behavior, data tampering, or potentially remote code execution if specific gadget properties are overridden.
What is the Impact of CVE-2018-3751?
Successful exploitation may allow attackers to inject or modify properties of existing objects, leading to undesirable application behavior, denial of service, or potentially remote code execution.
What is the Exploitability of CVE-2018-3751?
Exploitation of this Prototype Pollution vulnerability is considered low complexity, as demonstrated by the provided proof-of-concept. It requires the ability to provide user-controlled input that is subsequently parsed as JSON and then merged using the vulnerable merge-recursive library. No specific authentication is typically required if the input mechanism is publicly accessible, but if the vulnerability lies deeper within an authenticated feature, then authentication would be a prerequisite. Privilege requirements are generally low. This is a remote vulnerability, as the attacker needs to send the malicious data to the server. The primary condition for exploitation is the existence of a functionality that merges user-supplied JSON or object data without proper sanitization or validation of property names like __proto__.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3751?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2018-3751?
Similar Vulnerabilities: CVE-2019-10744 , CVE-2020-28284 , CVE-2020-7699 , CVE-2021-23377 , CVE-2021-3918
