(Mailbox Store) Prototype Pollution, CVE-Not-Provided (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in `src/proxy/mailbox/store.js` lines 123 and 145. The `_applyUpdate(row)` and `_updateRecord(id, fields)` functions use `Object.assign()` to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. An attacker who can write to the `messages.jsonl` file (mailbox persistence) injects a malicious JSONL entry. Example: {"_op":"update","id":"msg-123","fields":{"__proto__":{"polluted":true}}}. When the store loads, `readLines()` (line 47) reads the file, `_rebuildIndex()` (line 113) calls `_applyUpdate()` (line 121), and `Object.assign()` copies the `__proto__` property into the object’s prototype chain. This pollutes Object.prototype, making the injected properties (e.g., isAdmin) appear on every JavaScript object. In Node.js, alternative payloads like `{“constructor”:{“prototype”:{“polluted”:true}}}` may bypass partial protections. The exploit requires write access to the `messages.jsonl` file, achievable via file upload, path traversal, or compromised backups. No authentication is needed once file write is obtained.
Platform: Node.js
Version: All before
Vulnerability: Prototype Pollution
Severity: Critical
date: 2026-04-23

Prediction: 2026-05-07

Analytics under What Undercode Say:

Check for prototype pollution in logs
grep -E '"<strong>proto</strong>"|"constructor"' /var/mailbox/messages.jsonl
Monitor Object.assign usage in source
grep -n "Object.assign" src/proxy/mailbox/store.js
Node.js runtime detection script
node -e "console.log(Object.prototype.polluted)"

How Exploit:

// Write malicious JSONL entry
const payload = {
_op: "update",
id: "pwn",
fields: { "<strong>proto</strong>": { isAdmin: true, exec: "ls" } }
};
fs.appendFileSync('messages.jsonl', JSON.stringify(payload) + '\n');
// Trigger reload; any new object inherits isAdmin

Protection from this CVE

  • Use `Object.create(null)` for internal stores.
  • Filter keys: reject __proto__, constructor, prototype.
  • Use `Map` instead of plain objects for _index.
  • Apply Object.freeze(Object.prototype).
  • Validate JSONL input with a schema that disallows dangerous properties.

Impact:

Authentication bypass (regular user gains admin), arbitrary property injection affecting all objects, denial of service via prototype corruption, potential remote code execution if polluted properties reach security‑sensitive code paths (e.g., child_process.spawn). Multi‑tenant mailbox users are most at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top