CVE-2023-26132
Prototype Pollution vulnerability in dottie (npm)
What is CVE-2023-26132 About?
This vulnerability is a Prototype Pollution issue in the dottie package due to insufficient checks on crafted input. Successful exploitation can lead to arbitrary property injection into JavaScript objects, potentially altering application logic or causing denial of service. It is relatively easy to exploit with specifically crafted input.
Affected Software
Technical Details
The vulnerability resides in versions of the dottie package prior to 2.0.4. Specifically, the set() function within the /dottie.js file fails to perform adequate checks on the current variable. An attacker can craft input that manipulates the prototype chain of JavaScript objects, allowing them to inject arbitrary properties or modify existing ones through this unchecked assignment. This can subvert application logic, achieve remote code execution in certain contexts, or lead to a denial of service.
What is the Impact of CVE-2023-26132?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, leading to altered application behavior, remote code execution, or denial of service.
What is the Exploitability of CVE-2023-26132?
Exploitation of this Prototype Pollution vulnerability typically involves providing specially crafted input to the set() function. The complexity is low as it's a direct manipulation of object prototypes. There are no explicit authentication or special privilege requirements beyond the ability to supply input to the vulnerable function. Exploitation is usually local or through an application endpoint that processes user-controlled data; it does not require remote access to the server itself. The primary risk factor is the application's reliance on the dottie package and whether user-supplied data flows into the vulnerable set() function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26132?
Available Upgrade Options
- dottie
- <2.0.4 → Upgrade to 2.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107
- https://github.com/mickhansen/dottie.js
- https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68
- https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
- https://osv.dev/vulnerability/GHSA-4gxf-g5gf-22h4
- https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
- https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js#L107
- https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68
- https://nvd.nist.gov/vuln/detail/CVE-2023-26132
What are Similar Vulnerabilities to CVE-2023-26132?
Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7798 , CVE-2020-7798 , CVE-2021-23389 , CVE-2020-7712
