CVE-2019-10795
Prototype Pollution vulnerability in undefsafe
What is CVE-2019-10795 About?
This vulnerability is a Prototype Pollution flaw in `undefsafe` versions prior to 2.0.3. It allows attackers to inject or modify properties of `Object.prototype` using a `__proto__` payload. The impact is potentially widespread alteration of application logic, and exploitation is relatively straightforward given a suitable input vector.
Affected Software
Technical Details
The `undefsafe` package, in versions before 2.0.3, is vulnerable to Prototype Pollution. The `a` function within the package can be tricked into adding or modifying properties on `Object.prototype`. This occurs when an attacker crafts a malicious input object containing a `__proto__` key whose value includes the desired properties and values (e.g., `{'__proto__': {'maliciousProperty': 'maliciousValue'}}`). When the `undefsafe` utility processes this input, it inadvertently traverses and modifies `Object.prototype`, making `maliciousProperty` available on all instantiated JavaScript objects. This can lead to various issues, including property overwrites, unexpected behavior, or even denial-of-service conditions if critical properties are tampered with.
What is the Impact of CVE-2019-10795?
Successful exploitation may allow attackers to inject arbitrary properties into all JavaScript objects, alter core application logic, bypass security checks, or trigger denial-of-service conditions.
What is the Exploitability of CVE-2019-10795?
Exploitation of this Prototype Pollution vulnerability is of moderate complexity. An attacker must be able to supply input to a function that internally uses `undefsafe` without proper sanitization, allowing the `__proto__` property to be present in the input. Authentication requirements depend on the application's exposure of such an input point. This is typically a remote attack. Prerequisites include an application utilizing a vulnerable version of `undefsafe` and providing an entry point where attacker-controlled data is used to define or update object properties. The likelihood of exploitation is increased in applications that extensively parse and process untrusted JSON or JavaScript objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10795?
Available Upgrade Options
- undefsafe
- <2.0.3 → Upgrade to 2.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822
- https://nvd.nist.gov/vuln/detail/CVE-2019-10795
- https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940
- https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940
- https://github.com/remy/undefsafe
- https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822
- https://osv.dev/vulnerability/GHSA-332q-7ff2-57h2
What are Similar Vulnerabilities to CVE-2019-10795?
Similar Vulnerabilities: CVE-2019-19919 , CVE-2019-10747 , CVE-2020-28469 , CVE-2020-7713 , CVE-2021-23371
