CVE-2021-25947

Overview

Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module `nestie` can be abused by Prototype Pollution vulnerability since the function `nestie()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The `nestie()` function accepts `input, glue` as argument. Due to the absence of validation on the values passed into the `input` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property here to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted.

PoC Code

var { nestie } = require("nestie")

console.log("Before : " + {}.polluted);

nestie({"__proto__.polluted": "Yes! Its Polluted"})

console.log("After : " + {}.polluted);

Affected Environments

0.0.0 to 1.0.0

Prevention

Upgrade to version 1.0.1