CVE-2019-20149
Validation Bypass vulnerability in kind-of (npm)
What is CVE-2019-20149 About?
This Validation Bypass vulnerability in `kind-of` (versions 6.x prior to 6.0.3) allows attackers to manipulate type checks using a maliciously crafted object. Such bypassing can lead to unexpected behavior and potentially other vulnerabilities, with exploitation being moderately complex as it requires crafting specific objects to alter type checking outcomes.
Affected Software
Technical Details
The vulnerability in kind-of versions 6.x prior to 6.0.3 is a Validation Bypass. It occurs because the type checking mechanism can be manipulated by a specially crafted object. The kind-of library is designed to determine the type of a given JavaScript value. An attacker can craft a JavaScript object that can fool the internal type checking logic of the kind-of module. This is typically achieved by overriding or manipulating prototype methods or properties that kind-of relies on for its type determinations (e.g., Symbol.toStringTag or constructor properties). By altering these, a malicious object can be presented as a type that it is not, causing application logic that relies on kind-of for validation to be bypassed, leading to unintended control flow or data processing.
What is the Impact of CVE-2019-20149?
Successful exploitation may allow attackers to bypass security validation, inject unexpected data types, disrupt program execution, or potentially achieve arbitrary code execution in highly dependent systems.
What is the Exploitability of CVE-2019-20149?
Exploitation generally involves providing a maliciously crafted JavaScript object to an application that uses the vulnerable kind-of library for type validation. The complexity is moderate, requiring an understanding of JavaScript's object model and how kind-of performs its checks. There are typically no authentication requirements other than the ability to submit data that will be type-checked. This can be a remote or local attack, depending on how user-controlled input reaches the kind-of function. No special privileges are usually required. The main constraint is that the application must be using an affected version of kind-of and relying on its type checks for security-sensitive operations. The risk increases when applications validate untrusted input using kind-of and then perform actions based on the potentially bypassed type information.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20149?
About the Fix from Resolved Security
This patch adds a check to ensure that val.constructor is actually a function before trying to access its name, preventing unintended behavior when val.constructor is not a function (such as a user-defined object with a non-function constructor property). This fixes CVE-2019-20149 by mitigating prototype pollution attacks, where an attacker could manipulate the constructor property to execute arbitrary code or cause unexpected results.
Available Upgrade Options
- kind-of
- >6.0.0, <6.0.3 → Upgrade to 6.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jonschlinkert/kind-of/pull/31
- https://github.com/jonschlinkert/kind-of/issues/30
- https://osv.dev/vulnerability/GHSA-6c8f-qphg-qjgp
- https://github.com/jonschlinkert/kind-of/pull/31
- https://www.npmjs.com/advisories/1490
- https://snyk.io/vuln/SNYK-JS-KINDOF-537849
- https://nvd.nist.gov/vuln/detail/CVE-2019-20149
- https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b
- https://github.com/jonschlinkert/kind-of/issues/30
What are Similar Vulnerabilities to CVE-2019-20149?
Similar Vulnerabilities: CVE-2022-21824 , CVE-2021-23358 , CVE-2020-28269 , CVE-2019-8331 , CVE-2018-3720
