CVE-2022-37623
Prototype pollution vulnerability in browserify-shim (npm)
What is CVE-2022-37623 About?
This vulnerability is a prototype pollution in the `resolveShims` function of the `thlorenz browserify-shim` library. It allows attackers to inject or modify properties of an object's prototype, potentially leading to arbitrary code execution or denial of service. Exploitation occurs via manipulation of the `shimPath` variable.
Affected Software
Technical Details
The vulnerability exists in the resolveShims function within resolve-shims.js of the browserify-shim package version 3.8.15. Specifically, it involves the shimPath variable. Prototype pollution occurs when an attacker can control and modify the __proto__ property of an JavaScript object. By manipulating shimPath (likely through user-controlled input), an attacker can introduce arbitrary properties or overwrite existing ones in the Object.prototype. This can then affect all objects in the application, leading to unexpected behavior, property overwrites, or in some cases, remote code execution if a gadget chain can be formed based on the modified prototype properties.
What is the Impact of CVE-2022-37623?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to arbitrary code execution, denial of service, or other critical runtime modifications.
What is the Exploitability of CVE-2022-37623?
Exploitation complexity for prototype pollution can range from moderate to high, depending on the desired impact (e.g., DoS vs. RCE). It typically requires crafting specific JSON or JavaScript input that is processed by the vulnerable function. Authentication requirements depend on whether the shimPath variable can be influenced by authenticated or unauthenticated input. This can be a remote or local vulnerability depending on the attack vector. No special privileges are usually required on the target system for the attacker, but the impact is at the application level. The primary risk factor is the application processing untrusted input that directly or indirectly influences the shimPath.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37623?
Available Upgrade Options
- browserify-shim
- <3.8.16 → Upgrade to 3.8.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/thlorenz/browserify-shim/issues/248
- https://github.com/thlorenz/browserify-shim
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L94
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338
- https://osv.dev/vulnerability/GHSA-cfgr-75jx-h88g
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L94
- https://nvd.nist.gov/vuln/detail/CVE-2022-37623
- https://github.com/thlorenz/browserify-shim/issues/248
What are Similar Vulnerabilities to CVE-2022-37623?
Similar Vulnerabilities: CVE-2020-28168 , CVE-2020-7774 , CVE-2021-23343 , CVE-2021-23424 , CVE-2022-24300
