@alizeait/unflatto, Prototype Pollution, CVE-2025-12345 (High)

By /

How the CVE Works:

The vulnerability exists in the `exports.unflatto` method within `/dist/index.js` of alizeait/unflatto versions <=1.0.2. Prototype pollution occurs when user-controlled input is improperly sanitized before being processed by the unflatto function. Attackers can craft malicious payloads containing special properties like `__proto__` or `constructor.prototype` that merge into the base object prototype. When these polluted properties are accessed, they modify JavaScript’s base Object prototype chain, potentially leading to:

1) Arbitrary code execution through compromised object methods

2) Denial of Service by corrupting critical object properties

3) Security bypasses via tampered prototype methods

The attack vector requires passing malicious nested objects to the unflatto function, which recursively merges properties without proper validation. This allows injection of dangerous properties into the prototype chain that affect all objects in the application.

DailyCVE Form:

Platform: Node.js
Version: <=1.0.2
Vulnerability: Prototype Pollution
Severity: High
Date: Mar 28, 2025

What Undercode Say:

// Proof of Concept
const unflatto = require('@alizeait/unflatto');
const malicious = JSON.parse('{"<strong>proto</strong>":{"polluted":"yes"}}');
unflatto(malicious); // Pollution occurs
console.log(({}).polluted); // Outputs "yes"

Detection Command
npm list @alizeait/unflatto --depth=0 | grep "1.0.[bash]"

// Mitigation Code
const safeUnflatto = (obj) => {
if (typeof obj !== 'object') return obj;
if (obj.<strong>proto</strong> && Object.keys(obj).includes('<strong>proto</strong>')) {
throw new Error('Prototype pollution attempt');
}
return originalUnflatto(obj);
};

Remediation Steps
npm uninstall @alizeait/unflatto
npm install @alizeait/[email protected]

// Runtime Protection
Object.freeze(Object.prototype);
Object.freeze(Object);

Impact Assessment
grep -r "unflatto" ./node_modules --include=".js"

// Sanitization Filter
function sanitize(input) {
return JSON.parse(JSON.stringify(input, (key, value) => {
if (key === '<strong>proto</strong>') return undefined;
return value;
}));
}

References:

Reported By: https://github.com/advisories/GHSA-799q-f2px-wx8c
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top