GHSA-hpqf-m68j-2pfx
Prototype Pollution vulnerability in js-object-utilities

What is GHSA-hpqf-m68j-2pfx About?

This vulnerability in `js-object-utilities` allows Prototype Pollution through the `lib.set` function. An attacker can modify the global prototype chain, leading to denial of service, or potentially arbitrary command execution if the polluted property propagates to sensitive APIs. Exploitation is straightforward, as demonstrated by the provided PoC.

Affected Software

Technical Details

The `js-object-utilities` package, specifically in versions up to 2.2.0, is vulnerable to Prototype Pollution via the `lib.set` function. The vulnerability occurs because `lib.set` does not adequately disallow modifications to `Object.prototype` or its properties. An attacker can craft a payload by providing a path like `__proto__.pollutedKey` to `lib.set`. When this function attempts to set a value at this path, it modifies the `Object.prototype`, adding or altering properties across all objects. This manipulation can lead to a Denial of Service (DoS) by causing unexpected behavior or crashes throughout the application. Furthermore, if a polluted property aligns with sensitive Node.js APIs (e.g., `exec`, `eval`), it could escalate to arbitrary command execution, allowing the attacker to run commands within the application's context.

What is the Impact of GHSA-hpqf-m68j-2pfx?

Successful exploitation may allow attackers to cause a denial of service, introduce arbitrary properties to objects, or potentially achieve arbitrary command execution, leading to full system compromise or data manipulation.

What is the Exploitability of GHSA-hpqf-m68j-2pfx?

Exploitation of this Prototype Pollution vulnerability is straightforward, as detailed by the provided PoC. It involves calling the `lib.set` function with a specially crafted key (e.g., `__proto__.pollutedKey`) and a value. No authentication or special privileges are required, provided the attacker can control arguments passed to `lib.set`. The attack can be local (e.g., via user-input data processed by the application) or remote, depending on how the `set` function is exposed. The primary risk factor is applications that directly or indirectly pass untrusted user input to the `lib.set` function without proper sanitization or validation, especially when the polluted properties can affect critical application logic or external APIs.

What are the Known Public Exploits?

What are the Available Fixes for GHSA-hpqf-m68j-2pfx?

Available Upgrade Options

• js-object-utilities
  • <2.2.1 → Upgrade to 2.2.1

Additional Resources

• https://github.com/rrainn/js-object-utilities/commit/05ca694207270b7de275767f3fc93a2a643692a7
• https://github.com/rrainn/js-object-utilities/security/advisories/GHSA-hpqf-m68j-2pfx
• https://github.com/rrainn/js-object-utilities
• https://osv.dev/vulnerability/GHSA-hpqf-m68j-2pfx

What are Similar Vulnerabilities to GHSA-hpqf-m68j-2pfx?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-28432 , CVE-2022-29215 , CVE-2021-39139 , CVE-2020-13797