Listen to this Post
The vulnerability exists in the locutus npm package’s parse_str function within the php strings module. This function parses query strings similarly to PHP’s parse_str. To prevent prototype pollution, the code implements a check using the includes() method to detect forbidden keys like “constructor” and “prototype” in user input. However, this check relies on String.prototype.includes, which can be polluted by an attacker. By modifying String.prototype.includes to always return false, the security check is bypassed. When parse_str processes a crafted input such as ‘constructor[bash][polluted]=yes’, it fails to recognize the forbidden keys due to the polluted includes method. Consequently, the function sets the ‘polluted’ property on Object.prototype. This leads to all objects inheriting from Object.prototype being affected, as the polluted property propagates through the prototype chain. The pollution can be leveraged to modify application behavior, potentially leading to security breaches. The vulnerability affects versions after 2.0.12 where the initial fix was incomplete, and was fully resolved in version 2.0.39 by hardening the check against such bypasses.
DailyCVE Form:
Platform: npm package locutus
Version: >2.0.12 <2.0.39
Vulnerability: Prototype Pollution
Severity: Critical
date: 2024
Prediction: 2024-03-20
What Undercode Say:
Analytics:
npm install locutus
node -e “String.prototype.includes = () => false; console.log({}.polluted); const locutus = require(‘locutus’); locutus.php.strings.parse_str(‘constructor[bash][polluted]=yes’); console.log({}.polluted);”
How Exploit:
Pollute String.prototype.includes to return false. Call parse_str with malicious input like ‘constructor[bash][polluted]=yes’. This pollutes Object.prototype, affecting all objects.
Protection from this CVE
Update to version 2.0.39 or later.
Impact:
Authentication bypass, denial of service, remote code execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

