Listen to this Post
How the mentioned CVE works:
The vulnerability resides in `src/proxy/mailbox/store.js` lines 123 and 145. The `_applyUpdate(row)` and `_updateRecord(id, fields)` functions use `Object.assign()` to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. An attacker who can write to the `messages.jsonl` file (mailbox persistence) injects a malicious JSONL entry. Example: {"_op":"update","id":"msg-123","fields":{"__proto__":{"polluted":true}}}. When the store loads, `readLines()` (line 47) reads the file, `_rebuildIndex()` (line 113) calls `_applyUpdate()` (line 121), and `Object.assign()` copies the `__proto__` property into the object’s prototype chain. This pollutes Object.prototype, making the injected properties (e.g., isAdmin) appear on every JavaScript object. In Node.js, alternative payloads like `{“constructor”:{“prototype”:{“polluted”:true}}}` may bypass partial protections. The exploit requires write access to the `messages.jsonl` file, achievable via file upload, path traversal, or compromised backups. No authentication is needed once file write is obtained.
Platform: Node.js
Version: All before
Vulnerability: Prototype Pollution
Severity: Critical
date: 2026-04-23
Prediction: 2026-05-07
Analytics under What Undercode Say:
Check for prototype pollution in logs grep -E '"<strong>proto</strong>"|"constructor"' /var/mailbox/messages.jsonl Monitor Object.assign usage in source grep -n "Object.assign" src/proxy/mailbox/store.js Node.js runtime detection script node -e "console.log(Object.prototype.polluted)"
How Exploit:
// Write malicious JSONL entry
const payload = {
_op: "update",
id: "pwn",
fields: { "<strong>proto</strong>": { isAdmin: true, exec: "ls" } }
};
fs.appendFileSync('messages.jsonl', JSON.stringify(payload) + '\n');
// Trigger reload; any new object inherits isAdmin
Protection from this CVE
- Use `Object.create(null)` for internal stores.
- Filter keys: reject
__proto__,constructor,prototype. - Use `Map` instead of plain objects for
_index. - Apply
Object.freeze(Object.prototype). - Validate JSONL input with a schema that disallows dangerous properties.
Impact:
Authentication bypass (regular user gains admin), arbitrary property injection affecting all objects, denial of service via prototype corruption, potential remote code execution if polluted properties reach security‑sensitive code paths (e.g., child_process.spawn). Multi‑tenant mailbox users are most at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

