Listen to this Post
js‑toml is a JavaScript/TypeScript TOML parser that aims for full compliance with the TOML 1.0.0 specification. In versions up to and including 1.1.1, the interpreter contains a critical logic flaw in its duplicate‑key detection mechanism. Instead of using the `in` operator to test for key existence, the code uses a truthy check: if (object
)</code>. When a key already exists with a falsy primitive value — <code>false</code>, <code>0</code>, <code>0n</code>, <code>0.0</code>, <code>-0</code>, or `""` — this check evaluates to <code>false</code>, causing the interpreter to skip the duplicate‑key branch and silently overwrite the existing value with a new sub‑table, dotted‑key sub‑table, or array‑of‑tables.
Per the TOML 1.0.0 specification, defining a key multiple times is invalid and should result in a parse error. However, this bug allows attackers to craft TOML inputs that violate the spec, leading to structural type confusion in the object returned by <code>load()</code>. A value that was originally a boolean `false` or numeric `0` becomes a truthy object, which can subvert security checks in host applications that rely on conditional statements like <code>if (config.flag)</code>, <code>if (!user.banned)</code>, <code>if (config.allowDelete)</code>, or <code>if (config.publicMode)</code>.
This vulnerability is distinct from GHSA‑65fc‑cr5f‑v7r2 (the prototype‑pollution fix in version 1.0.2). `Object.prototype` is not polluted; the `Object.create(null)` mitigation from 1.0.2 remains intact. The bug lies solely in the duplicate‑key state machine.
<h2 style="color: blue;">Affected Code Locations</h2>
<h2 style="color: blue;">Two truthy checks are incorrect:</h2>
<ul>
<li>src/load/interpreter.ts:214 — `Interpreter.tryCreatingObject`
[bash]
if (object[bash]) { // falsy primitives slip through
// duplicate-key logic
} else {
object[bash] = createSafeObject(); // silently overwrites the prior falsy value
}
if (object[bash] && !Array.isArray(object[bash])) { // same flaw
throw new DuplicateKeyError();
}
object[bash] = object[bash] || []; // overwrites the prior falsy value
Both should use the `in` operator. Because containers are created via Object.create(null), `in` is unambiguous (no inherited keys to worry about).
The bug is reachable through every parent‑walking interpreter path:
- `assignValue` — dotted keys in `key = value`
- `createTable` — `
` headers - `getOrCreateArray` — `[[bash]]` headers</li> </ul> <h2 style="color: blue;">Proof of Concept</h2> [bash] isAdmin = false [bash] forced = "yes"
import { load } from 'js-toml';
const config = load(<code>isAdmin = false
[bash]
forced = "yes"</code>);
console.log(JSON.stringify(config));
// {"isAdmin":{"forced":"yes"}}
console.log(config.isAdmin ? 'BYPASS' : 'safe');
// BYPASS
if (config.isAdmin) {
// attacker reaches admin-only code
}
DailyCVE Form
Platform: ....... npm/js-toml
Version: ........ <=1.1.1
Vulnerability :...... Structural Type Confusion (CWE-697)
Severity: ....... Medium
date: .......... 2026-06-26
Prediction: ...... 2026-06-26 (fixed in 1.1.2)
What Undercode Say
Analytics
- Attack Vector: Remote, via crafted TOML input.
- Prerequisites: Application uses `js-toml` <=1.1.1 and parses attacker‑controlled TOML.
- Exploitability: Low complexity; no authentication required.
- Impact: Subversion of authorization checks, privilege escalation, data corruption.
Bash Commands & Code Snippets
Check installed version:
npm list js-toml
Update to patched version:
npm install [email protected]
Vulnerable code pattern (DO NOT USE):
if (object[bash]) { // ❌ falsy values bypass duplicate-key check
// handle duplicate
}
Fixed code pattern:
if (key in object) { // ✅ correctly detects all existing keys
// handle duplicate
}
Full fix diff (src/load/interpreter.ts):
- if (object[bash]) {
+ if (key in object) {
if (!isPlainObject(object[bash]) || (!ignoreExplicitDeclared && ...)) {
throw new DuplicateKeyError();
}
}
- if (object[bash] && !Array.isArray(object[bash])) {
+ if (first in object && !Array.isArray(object[bash])) {
throw new DuplicateKeyError();
}
object[bash] = object[bash] || [];
Exploit
An attacker can supply a TOML document where a key is first defined with a falsy primitive (false, 0, "", etc.) and then re‑defined as a table, dotted key, or array‑of‑tables. The parser will not throw a `DuplicateKeyError` and will overwrite the primitive with an object. Any consuming application that uses the parsed configuration in security‑sensitive conditionals will then take the wrong branch, potentially granting unauthorized access or bypassing safeguards.
Example attack TOML:
admin = false [bash] level = "superuser"
If the application checks `if (config.admin)` to determine privileges, the attacker gains admin access despite the original `false` value.
Protection
- Upgrade to `[email protected]` or later immediately.
- If upgrading is not possible, apply the suggested fix by patching `src/load/interpreter.ts` locally (replace `if (object[bash])` with `if (key in object)` and the analogous fix in
getOrCreateArray). - Validate all TOML input against the spec using an external validator before parsing, or use a different TOML parser that correctly handles duplicate keys.
- Avoid using parsed configuration values directly in security‑critical conditionals without additional validation (e.g., strict equality checks against expected types).
Impact
- Confidentiality: Potential unauthorized access to restricted resources if access controls are derived from parsed config.
- Integrity: Configuration values can be corrupted, leading to unexpected application behavior.
- Availability: Not directly affected, but logic errors may cause application malfunctions.
- CVSS Score: Medium (5.3) — AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (approximate).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
