-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution vulnerability affecting 75lb/deep-merge@1.1.1 #1
Comments
Beside pollution risk, is this issue causing you any operational problems? |
The pollution is the first step to facilitate further attacks such as DOS, RCE, privilege escalation or any other OWASP 10 vulnerabilities depends on the implementation of the module. Please refer to the details in this article Snyk.io |
You answered a question I did not ask - I know what the vulnerability is, read my question again please. Is this issue currently causing you any specific operational issues? For example, is a security policy blocking you using the module, or an app which uses the module? |
Just to clarify, I'm not personally using this package. However, as this issue poses a potential risk to users, I've opened it to collaborate on addressing the vulnerability for the community's safety. |
yes, that's fine - I was just trying to assess the level of urgency.. |
This project currently uses lodash to merge objects - this issue has already been reported upstream, will monitor it.. |
This issue is now a error when running The issue is resolved in later versions of Lodash. https://github.com/lodash/lodash/blob/6a2cc1dfcf7634fea70d1bc5bd22db453df67b42/test/__proto__-property-bugs.spec.js#L26-L54 This package imports This package should be updated to depend on |
I replaced Thanks for the report, let me know if there's anything else. |
Overview
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
PoC:
Output:
Before Attack:
{}
After Attack:
{"polluted":true}
How to prevent:
The text was updated successfully, but these errors were encountered: