deep-object-diff 1.1.0 - Prototype Pollution
7,3
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
deep-object-diff 1.1.0 - Prototype Pollution
Code name
State
Public
Release date
15 nov 2022
Affected product
deep-object-diff
Affected version(s)
Version 1.1.0
Vulnerability name
Prototype Pollution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS v3.1 base score
7.3
Exploit available
Yes
CVE ID(s)
Description
Version 1.1.0 of deep-object-diff allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
Vulnerability
Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the __proto__ of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object's prototype. If the method/attribute is also not in the object's prototype, then the property is said to be undefined.
Therefore, if an attacker succeeds in injecting the __proto__ property into an object, he will succeed in injecting or editing its properties.
Exploitation
exploit.js
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41713 to refer to this issue from now on. Disclosure policy
System Information
Version: deep-object-diff 1.1.0
Operating System: GNU/Linux
Mitigation
An updated version of deep-object-diff is available at the vendor page.
References
Timeline
Vulnerability discovered
5 oct 2022
Vendor contacted
5 oct 2022
Vendor replied
5 oct 2022
Vendor confirmed
5 oct 2022
Vulnerability patched
12 nov 2022
Public disclosure
15 nov 2022
