CVE-2022-37614
Prototype pollution vulnerability in mockery (npm)
What is CVE-2022-37614 About?
This is a prototype pollution vulnerability in 'mfncooper mockery' via the 'enable' function in 'mockery.js'. An attacker can manipulate the 'key' variable to inject arbitrary properties into JavaScript object prototypes. This can lead to various impacts including denial of service, remote code execution, or property hijacking. Exploitation of this vulnerability is generally straightforward once the vulnerable codepath is triggered.
Affected Software
Technical Details
The vulnerability lies within the mfncooper mockery library, specifically in the enable function within mockery.js (commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf). Prototype pollution occurs when an attacker can control the value of the key variable in a way that allows them to inject or modify properties of Object.prototype (or other prototypes). This often happens when key is used in a path-like manner (e.g., obj[key] = value) and the attacker can provide __proto__ as part of key. By leveraging this, an attacker can define arbitrary properties that will then be inherited by all JavaScript objects in the application, potentially leading to property overrides, unexpected behavior, or even remote code execution if method pointers or critical configuration objects are manipulated.
What is the Impact of CVE-2022-37614?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, remote code execution, or other unexpected behaviors like property hijacking across the application.
What is the Exploitability of CVE-2022-37614?
Exploiting this vulnerability typically involves providing specially crafted input that influences the key variable within the enable function. The complexity is moderate, requiring an understanding of the application's data flow and how mockery.js processes inputs. Authentication might not be required if the enable function can be indirectly triggered by unauthenticated inputs, but could be higher if it's part of an administrative API. This is context-dependent and could be a remote vulnerability if the input path is networked, or local if it's executed within a controlled environment. The key risk factor is the processing of untrusted input in a context that allows prototype manipulation via key assignment.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37614?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L62
- https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L119
- https://github.com/mfncooper/mockery/issues/77
- https://osv.dev/vulnerability/GHSA-gmwp-3pwc-3j3g
- https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L62
- https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L119
- https://github.com/mfncooper/mockery/issues/77
- https://nvd.nist.gov/vuln/detail/CVE-2022-37614
- https://github.com/mfncooper/mockery
What are Similar Vulnerabilities to CVE-2022-37614?
Similar Vulnerabilities: CVE-2020-28280 , CVE-2021-23381 , CVE-2021-23425 , CVE-2021-3807 , CVE-2022-21824
