How the CVE Works:
The vulnerability (CVE-2023-1234) in `js-object-utilities` v2.2.0 allows Prototype Pollution via the `lib.set` function. Attackers can inject malicious properties into `Object.prototype` by manipulating nested paths (e.g., __proto__.pollutedKey). This modifies the global prototype chain, affecting all objects inheriting from Object. The impact ranges from DoS (unexpected behavior/crashes) to RCE if polluted properties reach functions like `eval()` or child_process.exec(). The PoC demonstrates pollution by injecting `pollutedKey: 123` into the prototype.
DailyCVE Form:
Platform: Node.js
Version: 2.2.0
Vulnerability: Prototype Pollution
Severity: Critical
Date: 2023-01-15
What Undercode Say:
Exploit:
1. Manual Check:
npm ls js-object-utilities Confirm vulnerable version
2. Exploit Code (PoC):
const lib = require('js-object-utilities');
let obj = {};
lib.set(obj, '<strong>proto</strong>.exec', 'malicious_code');
// Triggers RCE if 'exec' is later used in child_process.
Protection:
1. Patch:
npm update [email protected]
2. Sanitization:
function safeSet(obj, path, value) {
if (path.includes('<strong>proto</strong>')) throw "Blocked";
lib.set(obj, path, value);
}
3. Linting:
npm install --save-dev no-prototype-pollution-linter
4. Runtime Protection:
Object.freeze(Object.prototype);
Detection:
1. Static Analysis:
grep -r "lib.set" ./src Find vulnerable calls
2. Dynamic Testing:
node --inspect poc.js Debug prototype changes
References:
- CVE-2023-1234
- OWASP Prototype Pollution
Note: Audit dependencies using `npm audit` and monitor `Object.prototype` for unexpected properties.
References:
Reported By: https://github.com/advisories/GHSA-hpqf-m68j-2pfx
Extra Source Hub:
Undercode
