CVE-2022-37602
Prototype Pollution vulnerability in grunt-karma (npm)
What is CVE-2022-37602 About?
This vulnerability is a prototype pollution flaw in `karma-runner grunt-karma 4.0.1`. It allows an attacker to inject arbitrary properties into JavaScript object prototypes, which can lead to various security issues such as remote code execution or denial of service, and is generally easy to exploit given the right conditions.
Affected Software
Technical Details
The prototype pollution vulnerability exists in karma-runner (specifically grunt-karma 4.0.1) within the grunt-karma.js file, via the key variable. Prototype pollution occurs when an attacker can add or modify properties of the global object prototype (Object.prototype). If an attacker can control the key variable and assign it __proto__, they can then define or overwrite properties on Object.prototype. This can critically affect subsequent object creations, leading to issues like arbitrary property modification, bypass of security checks, or even remote code execution depending on what properties can be polluted and how they are used by the application.
What is the Impact of CVE-2022-37602?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to denial of service, information disclosure, or remote code execution.
What is the Exploitability of CVE-2022-37602?
Exploitation of this vulnerability typically involves providing specially crafted input that contains __proto__ as a key, allowing the modification of Object.prototype. The complexity level can vary from low to moderate depending on how easily an attacker can control the key variable within the application's context. Authentication and privilege requirements depend on where the vulnerable code is exposed and if input sanitization is present. This could be a remote or local attack depending on the application's exposure. Special conditions often include lack of input validation or sanitization before assigning values to object properties. Risk factors include applications that process untrusted data and dynamically create object properties without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37602?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/karma-runner/grunt-karma/issues/311
- https://github.com/karma-runner/grunt-karma/blob/45b925964f55870f375c6e670d9945b223c984f5/tasks/grunt-karma.js#L26
- https://github.com/karma-runner/grunt-karma
- https://nvd.nist.gov/vuln/detail/CVE-2022-37602
- https://github.com/karma-runner/grunt-karma/blob/45b925964f55870f375c6e670d9945b223c984f5/tasks/grunt-karma.js#L109
- https://osv.dev/vulnerability/GHSA-hcj4-xf6x-63wj
- https://github.com/karma-runner/grunt-karma/issues/311
- https://github.com/karma-runner/grunt-karma/blob/45b925964f55870f375c6e670d9945b223c984f5/tasks/grunt-karma.js#L109
- https://github.com/karma-runner/grunt-karma/blob/45b925964f55870f375c6e670d9945b223c984f5/tasks/grunt-karma.js#L26
What are Similar Vulnerabilities to CVE-2022-37602?
Similar Vulnerabilities: CVE-2020-28045 , CVE-2021-23386 , CVE-2020-7712 , CVE-2021-23420 , CVE-2021-23403
