CVE-2022-26260
prototype pollution vulnerability in simple-plist (npm)
What is CVE-2022-26260 About?
This vulnerability in simple-plist v1.3.0 is a prototype pollution flaw discovered via the .parse() method. It allows an attacker to inject arbitrary properties into JavaScript object prototypes. This can lead to various impacts including denial of service or, in some contexts, remote code execution. Exploitation requires crafting a malicious plist file.
Affected Software
Technical Details
The vulnerability in simple-plist v1.3.0 stems from improper handling of data within its .parse() method. When parsing a specially crafted plist (Property List) file, the simple-plist library fails to adequately sanitize or validate input that can manipulate JavaScript object prototypes. This allows an attacker to inject arbitrary properties directly into the Object.prototype, which is then inherited by all JavaScript objects. Such 'prototype pollution' can lead to various unexpected behaviors, including denial of service, data integrity issues, or, when combined with other weaknesses in the application, potentially even arbitrary code execution by subverting application logic or gadget chains.
What is the Impact of CVE-2022-26260?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to denial of service, data corruption, or in certain contexts, arbitrary code execution.
What is the Exploitability of CVE-2022-26260?
Exploiting this prototype pollution vulnerability requires the ability to provide a specially crafted plist file that will be processed by the simple-plist library. The complexity is moderate, as it requires knowledge of JavaScript's prototype chain and how to craft a plist to achieve pollution. No specific authentication or privilege requirements are typically needed to supply the malicious input, assuming the application processes user-controlled plist files. This is primarily a remote vulnerability if the application accepts plist files over a network, but could also be local. The key risk factor is any application that deserializes or parses untrusted plist data using the vulnerable library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-26260?
Available Upgrade Options
- simple-plist
- <1.3.1 → Upgrade to 1.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-gff7-g5r8-mg8m
- https://github.com/wollardj/simple-plist/issues/60
- https://github.com/wollardj/simple-plist
- https://github.com/wollardj/simple-plist/issues/60#issuecomment-1083991840
- https://github.com/wollardj/simple-plist/issues/60
- https://nvd.nist.gov/vuln/detail/CVE-2022-26260
- https://github.com/wollardj/simple-plist/commit/670e22fd6e46549a1d32d1065981e0f58eab98d6
What are Similar Vulnerabilities to CVE-2022-26260?
Similar Vulnerabilities: CVE-2021-23376 , CVE-2021-23424 , CVE-2021-23439 , CVE-2020-7798 , CVE-2020-7799
