CVE-2022-37611
Prototype pollution vulnerability in gh-pages (npm)
What is CVE-2022-37611 About?
This is a prototype pollution vulnerability in the 'gh-pages' library, specifically within the 'util.js' file, which can allow an attacker to inject arbitrary properties into JavaScript object prototypes. This can lead to various impacts including denial of service, remote code execution, or property hijacking. Exploitation of this vulnerability is generally straightforward once the vulnerable codepath is triggered.
Affected Software
Technical Details
The vulnerability resides in the 'tschaub gh-pages' library, specifically targeting the 'partial' variable within the 'util.js' file. Prototype pollution occurs when an attacker can control and modify the properties of 'Object.prototype'. In this scenario, it is plausible that malicious input provided to the 'partial' variable, without proper sanitization or validation, allows an attacker to inject proto or constructor.prototype properties. This manipulation means that any object subsequently created or accessed without explicitly overriding these modified properties will inherit the attacker-controlled properties, potentially leading to property modification, unexpected behavior, or even remote code execution if sensitive properties are overwritten or functions are hijacked.
What is the Impact of CVE-2022-37611?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, remote code execution, or other unexpected behaviors like property hijacking across the application.
What is the Exploitability of CVE-2022-37611?
Exploiting this vulnerability typically requires an attacker to provide specially crafted input that is then processed by the vulnerable 'util.js' component. The complexity is moderate, as it requires understanding the application's data flow to trigger the pollution. Authentication might not be required if the vulnerable code path can be reached through unauthenticated inputs, but could be higher if administrative privileges are needed to supply the malicious payload. This is likely a remote vulnerability if the input can be supplied via a network request, but could be local if it's an internal-facing component. The primary risk factor is the application's reliance on unsanitized user-controlled input in object property assignments or merges.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37611?
About the Fix from Resolved Security
The patch replaces an object used as a directory set with a proper Set, eliminating the risk of prototype pollution through malicious file paths. This prevents attackers from injecting properties like proto into the dirs object, which was the root of the vulnerability described in CVE-2022-37611.
Available Upgrade Options
- gh-pages
- <5.0.0 → Upgrade to 5.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8mmm-9v2q-x3f9
- https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L16
- https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L11
- https://github.com/tschaub/gh-pages/issues/446
- https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L16
- https://github.com/tschaub/gh-pages/issues/446
- https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L11
- https://github.com/tschaub/gh-pages/pull/452
- https://nvd.nist.gov/vuln/detail/CVE-2022-37611
- https://github.com/tschaub/gh-pages
What are Similar Vulnerabilities to CVE-2022-37611?
Similar Vulnerabilities: CVE-2020-28280 , CVE-2021-23381 , CVE-2021-23425 , CVE-2021-3807 , CVE-2022-21824
