Listen to this Post
The vulnerability exists in the `util-deps.addFileDepend` function. This function is responsible for managing file dependencies by merging user-supplied objects into an existing configuration object. The function uses an unsafe method, likely a recursive merge without proper property validation, to combine these objects. An attacker can exploit this by providing a crafted payload containing special keys like `__proto__` or constructor.prototype. When this payload is processed, the function traverses the prototype chain and injects arbitrary properties into the base Object.prototype. This pollutes the prototype, meaning every object created in the application thereafter will inherit these malicious properties. This can lead to denial of service by altering the behavior of the application, potentially causing crashes or unexpected terminations when certain methods are called on the now-polluted objects.
Platform: Node.js
Version: through 2.2.2
Vulnerability: Prototype Pollution
Severity: Low
date: 2025-09-24
Prediction: Patch by 2025-10-08
What Undercode Say:
npm list magix-combine-ex
// Proof of Concept
const magixCombine = require('magix-combine-ex');
const payload = JSON.parse('{"<strong>proto</strong>":{"polluted":"yes"}}');
// Trigger via addFileDepend
console.log(({}).polluted); // undefined
// After exploit
console.log(({}).polluted); // 'yes'
How Exploit:
Attacker supplies a malicious JSON object with `__proto__` property to the `addFileDepend` function, polluting the Object prototype and causing a DoS.
Protection from this CVE:
Update magix-combine-ex beyond version 2.2.2. Implement input sanitization for objects, using libraries like `lodash.merge` safely or avoiding recursive merging with user input.
Impact:
Denial of Service (DoS) by corrupting object prototypes, leading to application instability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
