CVE-2022-25948
Information Exposure vulnerability in liquidjs (npm)
What is CVE-2022-25948 About?
This vulnerability is an Information Exposure flaw in the `liquidjs` package versions before 10.0.0. It allows for the leakage of prototype properties when the `ownPropertyOnly` parameter is set to `False`. The impact is the unintended disclosure of internal object properties, which could lead to further attacks. Exploitation relies on specific configuration and template usage.
Affected Software
Technical Details
The vulnerability in liquidjs versions before 10.0.0 is an information exposure flaw related to how it accesses properties during template rendering, specifically when the ownPropertyOnly parameter is set to False. In this configuration, the templating engine does not restrict property lookups to only 'own' properties of an object but instead traverses the prototype chain. This means that if an attacker can control either the template content or the data object passed to the template, they can craft expressions that access properties inherited from Object.prototype or other prototypes in the chain. This can lead to the exposure of sensitive internal properties or methods that were not intended to be accessible to the template context, potentially revealing application internals, debugging information, or even allowing for prototype pollution attacks if prototype properties can be written to.
What is the Impact of CVE-2022-25948?
Successful exploitation may allow attackers to leak internal object properties from the prototype chain, potentially disclosing sensitive information or aiding in further attacks.
What is the Exploitability of CVE-2022-25948?
Exploitation of this information exposure vulnerability is of moderate complexity. It requires the liquidjs ownPropertyOnly parameter to be explicitly set to False, which is not the default secure configuration. An attacker would need to either craft a malicious template or supply data that, when rendered, exploits this loose property lookup to access prototype properties. No specific authentication or high privileges are inherently required for the exploitation itself, but the ability to control template content or data input is necessary. This can be a remote attack if the application renders user-supplied templates or data. The special condition is the ownPropertyOnly: False configuration. The risk factors that increase the likelihood of exploitation include applications that allow untrusted users to provide template content or arbitrary data objects to the liquidjs renderer while operating in the vulnerable configuration, as this provides the necessary control for an attacker to craft input that exposes prototype properties.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25948?
Available Upgrade Options
- liquidjs
- <10.0.0 → Upgrade to 10.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208
- https://github.com/harttle/liquidjs/issues/454
- https://security.snyk.io/vuln/SNYK-JS-LIQUIDJS-2952868
- https://osv.dev/vulnerability/GHSA-45rm-2893-5f49
- https://github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db
- https://github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208
- https://groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ
- https://github.com/harttle/liquidjs/issues/454
- https://groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ
- https://github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db
What are Similar Vulnerabilities to CVE-2022-25948?
Similar Vulnerabilities: CVE-2020-7679 , CVE-2021-23396 , CVE-2020-7798 , CVE-2021-3807 , CVE-2021-23382
