CVE-2022-37617
Prototype Pollution vulnerability in browserify-shim (npm)
What is CVE-2022-37617 About?
This is a Prototype Pollution vulnerability found in the `resolveShims` function within `thlorenz browserify-shim` version 3.8.15. By manipulating the `k` variable, an attacker can modify the prototype of base JavaScript objects. Exploitation is of moderate difficulty, depending on how external input controls the vulnerable variable.
Affected Software
Technical Details
The vulnerability exists in the resolveShims function in resolve-shims.js of the thlorenz browserify-shim package. Specifically, it arises from unsanitized or improperly handled input related to the k variable. An attacker can supply a specially crafted value for k (e.g., __proto__ or constructor.prototype) that allows them to interact with and modify the prototype chain of JavaScript objects. This 'prototype pollution' enables an attacker to inject or modify properties on Object.prototype, which can then affect all objects in the application, potentially leading to property injection, denial of service, or even remote code execution in certain contexts.
What is the Impact of CVE-2022-37617?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which could lead to property injection, denial of service, or, in some cases, remote code execution through unexpected behavior in downstream code.
What is the Exploitability of CVE-2022-37617?
Exploitation complexity is moderate, requiring the ability to control input that eventually flows into the k variable within the resolveShims function. Authentication and privilege requirements depend on where the vulnerable function is used and how it processes external input. If the application exposes a web interface that directly or indirectly feeds user input into this function, it could be a remote attack. There are no special conditions beyond controlling the specific variable (k). Risk factors include applications that deserialize untrusted JSON or other data formats that can be mapped to JavaScript objects without proper input sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37617?
Available Upgrade Options
- browserify-shim
- <3.8.16 → Upgrade to 3.8.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/thlorenz/browserify-shim
- https://osv.dev/vulnerability/GHSA-866w-wm4h-95c6
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L130
- https://github.com/thlorenz/browserify-shim/issues/245
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L130
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://github.com/thlorenz/browserify-shim/issues/245
- https://nvd.nist.gov/vuln/detail/CVE-2022-37617
What are Similar Vulnerabilities to CVE-2022-37617?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-4316 , CVE-2023-38827 , CVE-2023-38602 , CVE-2023-1087
