Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-GHR5-CH3P-VCR6

Vulnerability from github – Published: 2024-04-28 18:30 – Updated: 2024-08-02 15:45
VLAI
Summary
ejs lacks certain pollution protection
Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-33883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T08:25:03Z",
    "nvd_published_at": "2024-04-28T16:15:23Z",
    "severity": "MODERATE"
  },
  "details": "The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.",
  "id": "GHSA-ghr5-ch3p-vcr6",
  "modified": "2024-08-02T15:45:51Z",
  "published": "2024-04-28T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mde/ejs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240605-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ejs lacks certain pollution protection"
}

GHSA-GJM5-83CW-P3P2

Vulnerability from github – Published: 2022-01-12 22:59 – Updated: 2022-01-11 18:11
VLAI
Summary
Prototype Pollution in extend2
Details

The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "extend2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-11T18:11:48Z",
    "nvd_published_at": "2022-01-10T14:10:00Z",
    "severity": "HIGH"
  },
  "details": "The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.",
  "id": "GHSA-gjm5-83cw-p3p2",
  "modified": "2022-01-11T18:11:48Z",
  "published": "2022-01-12T22:59:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23568"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eggjs/extend2/pull/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eggjs/extend2/commit/aa332a59116c8398976434b57ea477c6823054f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eggjs/extend2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eggjs/extend2/blob/master/index.js%23L50-L60"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-EXTEND2-2320315"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in extend2"
}

GHSA-GM2V-MF3R-56JR

Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-07-03 18:45
VLAI
Details

A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-17T14:15:10Z",
    "severity": "HIGH"
  },
  "details": "A Prototype Pollution issue in byondreal accessor \u003c= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.",
  "id": "GHSA-gm2v-mf3r-56jr",
  "modified": "2024-07-03T18:45:36Z",
  "published": "2024-06-17T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36583"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/97bc2fbfbcbde3a54d5536c9adeee34c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GM8G-XHH8-RMWR

Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:22
VLAI
Summary
Prototype Pollution in doc-path
Details

This affects the package doc-path before 2.1.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "doc-path"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T22:22:45Z",
    "nvd_published_at": "2020-11-15T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package doc-path before 2.1.2.",
  "id": "GHSA-gm8g-xhh8-rmwr",
  "modified": "2021-04-19T22:22:45Z",
  "published": "2021-05-10T19:17:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrodrig/doc-path/commit/3e2bb168cf303bffcd7fae5f8d05e5300c1541c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrodrig/doc-path/blob/stable/src/path.js%23L54"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DOCPATH-1011952"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in doc-path"
}

GHSA-GMJW-49P4-PCFM

Vulnerability from github – Published: 2021-03-12 22:44 – Updated: 2021-03-12 16:57
VLAI
Summary
Prototype poisoning
Details

Impact

The issue is as follows: when msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. As you are no doubt aware, Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value.

An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types.

There is no effect on the global prototype.

An example:

const msgpack5 = require('msgpack5')(); 

const payload = {}; 
Object.defineProperty(payload, '__proto__', { 
value: new Map().set(1, 2), 
enumerable: true 
}); 

const encoded = msgpack5.encode(payload); 
console.log(encoded); // <Buffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02> 

const decoded = msgpack5.decode(encoded); 

// decoded's prototype has been overwritten 
console.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 => 2 } 
console.log(decoded.get); // [Function: get] 

// decoded appears to most common typechecks to be a Map 
console.log(decoded instanceof Map); // true 
console.log(decoded.toString()); // [object Map] 
console.log(Object.prototype.toString.call(decoded)); // [object Map] 
console.log(decoded.constructor.name); // Map 
console.log(Object.getPrototypeOf(decoded).constructor.name); // Map 

// decoded is not, however, a Map 
console.log(Object.getPrototypeOf(decoded) === Map.prototype); // false 

// using decoded as though it were a Map throws 
try { 
decoded.get(1); 
} catch (error) { 
console.log(error); // TypeError: Method Map.prototype.get called 
// on incompatible receiver #<Map> 
} 
try { 
decoded.size; 
} catch (error) { 
console.log(error); // TypeError: Method get Map.prototype.size 
// called on incompatible receiver #<Map> 
} 

// re-encoding the decoded value throws 
try { 
msgpack5.encode(decoded); 
} catch (error) { 
console.log(error); // TypeError: Method Map.prototype.entries 
// called on incompatible receiver #<Map> 
} 

This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code).

Patches

Versions v5.2.1, v4.5.1, v3.6.1 include the fix.

Workarounds

Always validate incoming data after parsing before doing any processing.

For more information

If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T16:57:44Z",
    "nvd_published_at": "2021-03-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe issue is as follows: when `msgpack5` decodes a map containing a \nkey `\"__proto__\"`, it assigns the decoded value to `__proto__`. As you \nare no doubt aware, `Object.prototype.__proto__` is an accessor \nproperty for the receiver\u0027s prototype. If the value corresponding to \nthe key `__proto__` decodes to an object or `null`, `msgpack5` sets \nthe decoded object\u0027s prototype to that value. \n\nAn attacker who can submit crafted MessagePack data to a service can \nuse this to produce values that appear to be of other types; may have \nunexpected prototype properties and methods (for example `length`, \nnumeric properties, and `push` et al if `__proto__`\u0027s value decodes to \nan `Array`); and/or may throw unexpected exceptions when used (for \nexample if the `__proto__` value decodes to a `Map` or `Date`). Other \nunexpected behavior might be produced for other types. \n\nThere is no effect on the global prototype.\n\nAn example: \n\n```js \nconst msgpack5 = require(\u0027msgpack5\u0027)(); \n\nconst payload = {}; \nObject.defineProperty(payload, \u0027__proto__\u0027, { \nvalue: new Map().set(1, 2), \nenumerable: true \n}); \n\nconst encoded = msgpack5.encode(payload); \nconsole.log(encoded); // \u003cBuffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02\u003e \n\nconst decoded = msgpack5.decode(encoded); \n\n// decoded\u0027s prototype has been overwritten \nconsole.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 =\u003e 2 } \nconsole.log(decoded.get); // [Function: get] \n\n// decoded appears to most common typechecks to be a Map \nconsole.log(decoded instanceof Map); // true \nconsole.log(decoded.toString()); // [object Map] \nconsole.log(Object.prototype.toString.call(decoded)); // [object Map] \nconsole.log(decoded.constructor.name); // Map \nconsole.log(Object.getPrototypeOf(decoded).constructor.name); // Map \n\n// decoded is not, however, a Map \nconsole.log(Object.getPrototypeOf(decoded) === Map.prototype); // false \n\n// using decoded as though it were a Map throws \ntry { \ndecoded.get(1); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.get called \n// on incompatible receiver #\u003cMap\u003e \n} \ntry { \ndecoded.size; \n} catch (error) { \nconsole.log(error); // TypeError: Method get Map.prototype.size \n// called on incompatible receiver #\u003cMap\u003e \n} \n\n// re-encoding the decoded value throws \ntry { \nmsgpack5.encode(decoded); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.entries \n// called on incompatible receiver #\u003cMap\u003e \n} \n``` \n\nThis \"prototype poisoning\" is sort of a very limited inversion of a \nprototype pollution attack. Only the decoded value\u0027s prototype is \naffected, and it can only be set to `msgpack5` values (though if the \nvictim makes use of custom codecs, anything could be a `msgpack5` \nvalue). We have not found a way to escalate this to true prototype \npollution (absent other bugs in the consumer\u0027s code). \n\n### Patches\n\nVersions v5.2.1, v4.5.1, v3.6.1 include the fix.\n\n### Workarounds\n\nAlways validate incoming data after parsing before doing any processing.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
  "id": "GHSA-gmjw-49p4-pcfm",
  "modified": "2021-03-12T16:57:44Z",
  "published": "2021-03-12T22:44:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21368"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v3.6.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v4.5.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v5.2.1"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/msgpack5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype poisoning"
}

GHSA-GMWP-3PWC-3J3G

Vulnerability from github – Published: 2022-10-12 19:00 – Updated: 2023-07-28 21:01
VLAI
Summary
mockery is vulnerable to prototype pollution
Details

Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mockery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-28T21:01:11Z",
    "nvd_published_at": "2022-10-12T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.",
  "id": "GHSA-gmwp-3pwc-3j3g",
  "modified": "2023-07-28T21:01:11Z",
  "published": "2022-10-12T19:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37614"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mfncooper/mockery/issues/77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mfncooper/mockery"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mfncooper/mockery/blob/822f0566fd6d72af8c943ae5ca2aa92e516aa2cf/mockery.js#L62"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mockery is vulnerable to prototype pollution"
}

GHSA-GPVC-MX6G-CCHV

Vulnerability from github – Published: 2023-08-01 06:30 – Updated: 2023-08-01 19:47
VLAI
Summary
underscore-keypath vulnerable to Prototype Pollution
Details

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "underscore-keypath"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.11"
            },
            {
              "last_affected": "0.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-01T19:47:09Z",
    "nvd_published_at": "2023-08-01T05:15:34Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the `setProperty()` function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like `__proto__`.",
  "id": "GHSA-gpvc-mx6g-cchv",
  "modified": "2023-08-01T19:47:09Z",
  "published": "2023-08-01T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26139"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jeeeyul/underscore-keypath"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "underscore-keypath vulnerable to Prototype Pollution"
}

GHSA-GR58-J5WH-M333

Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:33
VLAI
Summary
Prototype Pollution in nis-utils
Details

All versions of package nis-utils up to and including 0.6.10 are vulnerable to Prototype Pollution via the setValue function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nis-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T21:33:21Z",
    "nvd_published_at": "2020-08-17T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package nis-utils up to and including 0.6.10 are vulnerable to Prototype Pollution via the setValue function.",
  "id": "GHSA-gr58-j5wh-m333",
  "modified": "2021-05-05T21:33:21Z",
  "published": "2021-05-06T17:29:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7703"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NISUTILS-598799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in nis-utils"
}

GHSA-GRJP-4JMR-MJCW

Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2022-09-30 04:42
VLAI
Summary
express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute
Details

The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "express-xss-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-30T04:42:55Z",
    "nvd_published_at": "2022-09-26T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the `allowedTags` attribute, allowing the attacker to bypass xss sanitization.",
  "id": "GHSA-grjp-4jmr-mjcw",
  "modified": "2022-09-30T04:42:55Z",
  "published": "2022-09-27T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://runkit.com/embed/w306l6zfm7tu"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER-3027443"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute"
}

GHSA-GRR5-5V7V-G4C4

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31
VLAI
Details

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR \u003c 91.9.1, Firefox \u003c 100.0.2, Firefox for Android \u003c 100.3.0, and Thunderbird \u003c 91.9.1.",
  "id": "GHSA-grr5-5v7v-g4c4",
  "modified": "2025-04-16T18:31:35Z",
  "published": "2022-12-22T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1529"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770048"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.