CVE-2019-10747
Prototype Pollution vulnerability in set-value
What is CVE-2019-10747 About?
This vulnerability is a Prototype Pollution flaw in `set-value` versions prior to 3.0.1 or 2.0.1. The `set` function fails to validate properties, allowing attackers to modify `Object.prototype`. Its impact is the potential for altering application logic universally, and exploitation is relatively easy given an input vector.
Affected Software
- set-value
- <2.0.1
- >3.0.0, <3.0.1
Technical Details
The `set-value` package, in versions prior to 3.0.1 (for 3.x) and 2.0.1 (for 2.x), is susceptible to Prototype Pollution. This vulnerability stems from the `set` function's inadequate validation of object properties it updates. An attacker can craft a payload using the `__proto__` property (e.g., `{'__proto__': {'key': 'value'}}`) that, when processed by the `set` function, directly modifies the `Object.prototype`. This means that `key` and `value` would become properties available on all JavaScript objects, potentially overriding legitimate properties or introducing unexpected behavior across the entire application. The attack vector involves feeding such a malicious object structure into a function that internally uses `set-value` without proper input sanitization.
What is the Impact of CVE-2019-10747?
Successful exploitation may allow attackers to inject arbitrary properties into all JavaScript objects, alter core application logic, bypass security checks, or trigger denial-of-service conditions.
What is the Exploitability of CVE-2019-10747?
Exploitation of this Prototype Pollution vulnerability is of moderate complexity, depending on the application's input handling. An attacker needs to provide user input that is then processed by the `set` function of `set-value` without thorough sanitization, allowing the `__proto__` property to be manipulated. Authentication requirements would depend on whether the vulnerable input point is exposed to authenticated or unauthenticated users. This is typically a remote attack if the malicious input is received via a web request or similar network communication. Prerequisites include an application utilizing a vulnerable version of `set-value` and exposing an entry point where attacker-controlled data can be used to set object properties without proper validation. The likelihood of exploitation is increased in applications that extensively use dynamic object property assignment based on untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10747?
Available Upgrade Options
- set-value
- <2.0.1 → Upgrade to 2.0.1
- set-value
- >3.0.0, <3.0.1 → Upgrade to 3.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/
- https://www.npmjs.com/advisories/1012
- https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E
- https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV
- https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
- https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
- https://osv.dev/vulnerability/GHSA-4g88-fppr-53pp
What are Similar Vulnerabilities to CVE-2019-10747?
Similar Vulnerabilities: CVE-2019-19919 , CVE-2019-10795 , CVE-2020-28469 , CVE-2020-7713 , CVE-2021-23371
