CVE-2023-45857
Prototype Pollution vulnerability in axios (npm)
What is CVE-2023-45857 About?
All versions of the `node-gettext` package are vulnerable to Prototype Pollution through the `addTranslations()` function in `gettext.js`. This is caused by improper user input sanitization, allowing attackers to inject properties into object prototypes. Its exploitation could lead to denial of service or, in specific contexts, arbitrary code execution.
Affected Software
- axios
- >1.0.0, <1.6.0
- >0.8.1, <0.28.0
Technical Details
The node-gettext package, across all its versions, contains a Prototype Pollution vulnerability within the addTranslations() function in gettext.js. This occurs because user-supplied translation data, which can contain keys and values, is merged into existing objects without proper validation or sanitization. If an attacker can control the keys of the translation data, they can submit a specially crafted key like __proto__ or constructor.prototype. When this malicious key is used in an object merge or assignment operation, it allows the attacker to inject arbitrary properties and values directly into the Object.prototype. Since Object.prototype is the base for all JavaScript objects, polluting it affects the behavior and properties of all objects throughout the application.
What is the Impact of CVE-2023-45857?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, unexpected application behavior, or potentially arbitrary code execution by corrupting global objects and runtime logic.
What is the Exploitability of CVE-2023-45857?
Exploitation of this Prototype Pollution vulnerability has a moderate complexity. It requires an attacker to provide specially crafted input to the addTranslations() function. This can be exploited remotely if the application takes translation data directly from untrusted users. Authentication requirements depend on whether the addTranslations() function or a wrapper for it is accessible to unauthenticated users; it could be exploited by either authenticated or unauthenticated attackers. No special privileges are required on the server itself, as the exploit targets the application's JavaScript runtime environment. The main prerequisite is the ability to supply malicious translation data to the node-gettext library. Risk factors are high in applications that allow untrusted users to manage or submit translation content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| intercept6 | Link | CVE-2023-45857の挙動を確認するデモ |
| fuyuooumi1027 | Link | PoC for CVE-2023-45857 |
| valentin-panov | Link | PoC for CVE-2023-45857 |
What are the Available Fixes for CVE-2023-45857?
About the Fix from Resolved Security
The patch prevents sending XSRF tokens on cross-origin requests, even when withCredentials is true, by ensuring the XSRF header is set only for same-origin requests. This mitigates the vulnerability described in CVE-2023-45857, where attackers could exploit withCredentials to leak XSRF tokens on cross-origin requests, potentially bypassing CSRF protections.
Available Upgrade Options
- axios
- >0.8.1, <0.28.0 → Upgrade to 0.28.0
- axios
- >1.0.0, <1.6.0 → Upgrade to 1.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
- https://github.com/axios/axios
- https://github.com/axios/axios/releases/tag/v0.28.0
- https://github.com/axios/axios/issues/6006
- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967
- https://github.com/axios/axios/pull/6091
- https://nvd.nist.gov/vuln/detail/CVE-2023-45857
What are Similar Vulnerabilities to CVE-2023-45857?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2020-8200 , CVE-2019-11358 , CVE-2019-10744 , CVE-2018-3721
