Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jg82-xh3w-rhxx: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

Impact

A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.

Summary

A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.

When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.

Patch

A fix has been released in [email protected].

Mitigation

Proof of Concept

Craft a malicious input file named poc.js as follows:

// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())

// Synchrony exploit PoC
{
  var __proto__ = { parser: 'poc.js' }
}

Then, run synchrony poc.js from the same directory as the malicious file.

Credits

This vulnerability was found and disclosed by William Khem-Marquez.

ghsa
#vulnerability#nodejs#js#git

Impact

A proto pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.

Summary

A proto pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.

When executing in Node.js, due to use of the prettier module, defining a parser property on proto with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.

Patch

A fix has been released in [email protected].

Mitigation

  • Upgrade synchrony to v2.4.4
  • Launch node with the --disable-proto=delete or --disable-proto=throw flag

Proof of Concept

Craft a malicious input file named poc.js as follows:

// Malicious code to be run after this file is imported. Logs the result of shell command “dir” to the console. console.log(require(‘child_process’).execSync(‘dir’).toString())

// Synchrony exploit PoC { var __proto__ = { parser: ‘poc.js’ } }

Then, run synchrony poc.js from the same directory as the malicious file.

Credits

This vulnerability was found and disclosed by William Khem-Marquez.

References

  • GHSA-jg82-xh3w-rhxx
  • https://nvd.nist.gov/vuln/detail/CVE-2023-45811
  • relative/synchrony@b583126
  • https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts

Related news

CVE-2023-45811: Merge pull request from GHSA-jg82-xh3w-rhxx · relative/synchrony@b583126

Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `[email protected]`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags

ghsa: Latest News

GHSA-8gc2-vq6m-rwjw: Amazon Redshift Python Connector vulnerable to SQL Injection