GHSA-M34P-749J-X6M6
Vulnerability from github – Published: 2026-06-26 22:49 – Updated: 2026-06-26 22:49Summary
js-toml's interpreter checks whether a key already exists in a parser-built container with if (object[key]) instead of if (key in object). When the prior value is a falsy primitive — false, 0, 0n, 0.0, -0, or "" — the duplicate-key branch is skipped and the value is silently overwritten by a later sub-table, dotted-key sub-table, or array-of-tables sharing the same name. Per the TOML 1.0.0 spec ("Defining a key multiple times is invalid"; "You cannot define any key or table more than once"), this should be a parse error.
The result is structural type confusion of attacker-named keys in the value returned by load(). A boolean-typed false (or numeric 0) becomes a truthy object. Host applications that gate behavior on if (config.flag), if (!user.banned), if (config.allowDelete), or if (config.publicMode) will silently take the truthy branch.
This is distinct from GHSA-65fc-cr5f-v7r2 (the 1.0.2 prototype-pollution fix). Object.prototype is not polluted. The Object.create(null) mitigation from 1.0.2 is intact; the bug here is in the duplicate-key state machine, not in container construction.
Details
Two truthy checks are wrong:
src/load/interpreter.ts:214 — Interpreter.tryCreatingObject
if (object[key]) { // falsy primitives slip through
// duplicate-key logic
} else {
object[key] = createSafeObject(); // silently overwrites the prior falsy value
...
}
src/load/interpreter.ts:278 — Interpreter.getOrCreateArray
if (object[first] && !Array.isArray(object[first])) { // same flaw
throw new DuplicateKeyError();
}
object[first] = object[first] || []; // overwrites the prior falsy value
Both should use the in operator. Containers are created via Object.create(null), so in is unambiguous (no inherited keys to worry about).
The bug is reachable through every parent-walking interpreter path:
assignValue— dotted keys inkey = valuecreateTable—[stdTable]headersgetOrCreateArray—[[arrayOfTables]]headers
PoC
isAdmin = false
[isAdmin]
forced = "yes"
import { load } from 'js-toml';
const config = load(`
isAdmin = false
[isAdmin]
forced = "yes"
`);
console.log(JSON.stringify(config));
// {"isAdmin":{"forced":"yes"}}
console.log(config.isAdmin ? 'BYPASS' : 'safe');
// BYPASS
if (config.isAdmin) {
// attacker reaches admin-only code
}
Impact
Spec-violating input acceptance leading to structural type confusion. (CWE-697)
Suggested fix
in src/load/interpreter.ts
export class Interpreter extends BaseCstVisitor {
ignoreImplicitDeclared,
ignoreExplicitDeclared
) {
- if (object[key]) {
+ if (key in object) {
if (
!isPlainObject(object[key]) ||
(!ignoreExplicitDeclared &&
export class Interpreter extends BaseCstVisitor {
return this.getOrCreateArray(keys, object[first], idx + 1);
}
- if (object[first] && !Array.isArray(object[first])) {
+ if (first in object && !Array.isArray(object[first])) {
throw new DuplicateKeyError();
}
object[first] = object[first] || [];
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "js-toml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50029"
],
"database_specific": {
"cwe_ids": [
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:49:28Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n`js-toml`\u0027s interpreter checks whether a key already exists in a parser-built container with `if (object[key])` instead of `if (key in object)`. When the prior value is a falsy primitive \u2014 `false`, `0`, `0n`, `0.0`, `-0`, or `\"\"` \u2014 the duplicate-key branch is skipped and the value is silently overwritten by a later sub-table, dotted-key sub-table, or array-of-tables sharing the same name. Per the TOML 1.0.0 spec (\"Defining a key multiple times is invalid\"; \"You cannot define any key or table more than once\"), this should be a parse error.\n\nThe result is **structural type confusion of attacker-named keys** in the value returned by `load()`. A boolean-typed `false` (or numeric `0`) becomes a truthy object. Host applications that gate behavior on `if (config.flag)`, `if (!user.banned)`, `if (config.allowDelete)`, or `if (config.publicMode)` will silently take the truthy branch.\n\nThis is **distinct** from [GHSA-65fc-cr5f-v7r2](https://github.com/sunnyadn/js-toml/security/advisories/GHSA-65fc-cr5f-v7r2) (the 1.0.2 prototype-pollution fix). `Object.prototype` is **not** polluted. The `Object.create(null)` mitigation from 1.0.2 is intact; the bug here is in the duplicate-key state machine, not in container construction.\n\n### Details\n\nTwo truthy checks are wrong:\n\n`src/load/interpreter.ts:214` \u2014 `Interpreter.tryCreatingObject`\n\n```js\nif (object[key]) { // falsy primitives slip through\n // duplicate-key logic\n} else {\n object[key] = createSafeObject(); // silently overwrites the prior falsy value\n ...\n}\n```\n\n`src/load/interpreter.ts:278` \u2014 `Interpreter.getOrCreateArray`\n\n```js\nif (object[first] \u0026\u0026 !Array.isArray(object[first])) { // same flaw\n throw new DuplicateKeyError();\n}\nobject[first] = object[first] || []; // overwrites the prior falsy value\n```\n\nBoth should use the `in` operator. Containers are created via `Object.create(null)`, so `in` is unambiguous (no inherited keys to worry about).\n\nThe bug is reachable through every parent-walking interpreter path:\n\n- `assignValue` \u2014 dotted keys in `key = value`\n- `createTable` \u2014 `[stdTable]` headers\n- `getOrCreateArray` \u2014 `[[arrayOfTables]]` headers\n\n### PoC\n\n```toml\nisAdmin = false\n[isAdmin]\nforced = \"yes\"\n```\n\n```js\nimport { load } from \u0027js-toml\u0027;\n\nconst config = load(`\nisAdmin = false\n[isAdmin]\nforced = \"yes\"\n`);\n\nconsole.log(JSON.stringify(config));\n// {\"isAdmin\":{\"forced\":\"yes\"}}\n\nconsole.log(config.isAdmin ? \u0027BYPASS\u0027 : \u0027safe\u0027);\n// BYPASS\n\nif (config.isAdmin) {\n // attacker reaches admin-only code\n}\n```\n\n### Impact\n\nSpec-violating input acceptance leading to structural type confusion. (CWE-697)\n\n### Suggested fix\n\nin `src/load/interpreter.ts`\n\n```diff\nexport class Interpreter extends BaseCstVisitor {\n ignoreImplicitDeclared,\n ignoreExplicitDeclared\n ) {\n- if (object[key]) {\n+ if (key in object) {\n if (\n !isPlainObject(object[key]) ||\n (!ignoreExplicitDeclared \u0026\u0026\n```\n```diff\nexport class Interpreter extends BaseCstVisitor {\n return this.getOrCreateArray(keys, object[first], idx + 1);\n }\n\n- if (object[first] \u0026\u0026 !Array.isArray(object[first])) {\n+ if (first in object \u0026\u0026 !Array.isArray(object[first])) {\n throw new DuplicateKeyError();\n }\n\n object[first] = object[first] || [];\n```",
"id": "GHSA-m34p-749j-x6m6",
"modified": "2026-06-26T22:49:28Z",
"published": "2026-06-26T22:49:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sunnyadn/js-toml/security/advisories/GHSA-m34p-749j-x6m6"
},
{
"type": "PACKAGE",
"url": "https://github.com/sunnyadn/js-toml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "js-toml has silent type confusion via falsy-primitive duplicate-key bypass"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.