Locutus, Prototype Pollution, CVE-2024-29016 (Critical)

Listen to this Post

The vulnerability exists in the locutus npm package’s parse_str function within the php strings module. This function parses query strings similarly to PHP’s parse_str. To prevent prototype pollution, the code implements a check using the includes() method to detect forbidden keys like “constructor” and “prototype” in user input. However, this check relies on String.prototype.includes, which can be polluted by an attacker. By modifying String.prototype.includes to always return false, the security check is bypassed. When parse_str processes a crafted input such as ‘constructor[bash][polluted]=yes’, it fails to recognize the forbidden keys due to the polluted includes method. Consequently, the function sets the ‘polluted’ property on Object.prototype. This leads to all objects inheriting from Object.prototype being affected, as the polluted property propagates through the prototype chain. The pollution can be leveraged to modify application behavior, potentially leading to security breaches. The vulnerability affects versions after 2.0.12 where the initial fix was incomplete, and was fully resolved in version 2.0.39 by hardening the check against such bypasses.

DailyCVE Form:

Platform: npm package locutus
Version: >2.0.12 <2.0.39
Vulnerability: Prototype Pollution
Severity: Critical
date: 2024

Prediction: 2024-03-20

What Undercode Say:

Analytics:

npm install locutus

node -e “String.prototype.includes = () => false; console.log({}.polluted); const locutus = require(‘locutus’); locutus.php.strings.parse_str(‘constructor[bash][polluted]=yes’); console.log({}.polluted);”

How Exploit:

Pollute String.prototype.includes to return false. Call parse_str with malicious input like ‘constructor[bash][polluted]=yes’. This pollutes Object.prototype, affecting all objects.

Protection from this CVE

Update to version 2.0.39 or later.

Impact:

Authentication bypass, denial of service, remote code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top