Overview
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
Details
The NPM module `just-safe-set` can be abused by Prototype Pollution vulnerability since the function `set()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or is able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
PoC Details
The `set()` function accepts `obj`, `props`, and `value` as arguments. Due to the absence of validation on the values passed into the ` props` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the value would be substituted as "Yes! It's Polluted" as it had been polluted.
PoC Code
var justSafeSet = require("just-safe-set")
var obj = {}
console.log("Before : " + {}.polluted);
justSafeSet(obj,'__proto__.polluted','Yes! Its Polluted');
console.log("After : " + {}.polluted);
Affected Environments
1.0.0 through 2.2.1
Prevention
Upgrade to version 2.2.2
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
