depath and cool-path, Prototype Pollution, CVE-2025-XXXX (High)

By /

The CVE-2025-XXXX vulnerability in depath v1.0.6 and cool-path v1.1.2 arises due to improper input validation in the `set()` method within the `setIn` function (lib/index.js:90). Prototype pollution occurs when an attacker injects malicious properties into an object’s prototype, which can then be inherited by other objects. In this case, the `set()` method fails to sanitize user-supplied keys, allowing an attacker to modify the `__proto__` property or other prototype attributes. This manipulation can lead to arbitrary code execution, privilege escalation, or Denial of Service (DoS) by corrupting critical object structures.
Exploitation involves passing a crafted payload containing prototype-altering properties (e.g., {"__proto__":{"polluted":"true"}}). When processed by setIn, the payload merges into the base object, polluting the prototype chain. Subsequent object creations inherit the malicious properties, enabling further attacks like XSS (if the object is used in DOM operations) or RCE (if used in server-side contexts).

DailyCVE Form:

Platform: depath/cool-path
Version: v1.0.6/v1.1.2
Vulnerability: Prototype Pollution
Severity: High
Date: Mar 28, 2025

What Undercode Say:

Exploit:

const depath = require('depath');
const payload = JSON.parse('{"<strong>proto</strong>":{"isAdmin":true}}');
depath.setIn({}, [bash], payload);
// Now all objects inherit `isAdmin: true`

Protection:

1. Update to patched versions (if available).

2. Use `Object.freeze(Object.prototype)` to block prototype modifications.

3. Implement input validation for nested keys:

function safeSet(obj, path, value) {
if (path.includes('<strong>proto</strong>')) throw Error("Malicious payload");
// ... rest of logic
}

Analytics:

  • Attack Vector: Remote (via crafted API input).
  • Prerequisites: User-controlled input passed to setIn().
  • Impact: High (RCE/DoS possible).

Detection:

grep -r "setIn(" node_modules/depath/

Mitigation Commands:

npm audit fix --force

PoC:

const victim = {};
console.log(victim.isAdmin); // undefined
require('depath').setIn({}, [bash], {isAdmin: true});
console.log(victim.isAdmin); // true (polluted)

Patch Suggestion:

- if (key === '<strong>proto</strong>') return obj;
+ if (key === '<strong>proto</strong>' || key === 'constructor') throw new Error('Invalid key');

References:

Reported By: https://github.com/advisories/GHSA-4h4x-4m75-47j4
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top