Listen to this Post
The vulnerability in messageformat for Node.js (versions prior to 3.0.1) stems from improper input sanitization of nested message keys. When the library processes a message object, it recursively traverses the keys to resolve the correct message string. The function responsible for this traversal does not adequately check for keys that match special JavaScript object properties like `__proto__` or constructor.prototype. An attacker can supply a malicious message payload containing keys such as "__proto__.polluted". During processing, the library’s `setValue` function or similar logic interprets this key path not as a simple string but as an instruction to traverse the prototype chain. This results in the assignment of a value ("polluted" in this case) to the `Object.prototype` itself. Consequently, every object created after the pollution will inherit this property, leading to potential denial of service by triggering exceptions in application code that encounters unexpected properties, or enabling remote code execution if the polluted property influences security-critical logic like command execution or file paths.
Platform: Node.js
Version: < 3.0.1
Vulnerability: Prototype Pollution
Severity: High
date: 2024-09-24
Prediction: Patch by 2024-10-08
What Undercode Say:
npm audit
const messageFormat = require('messageformat');
const mf = new messageFormat('en');
const maliciousPayload = {
"<strong>proto</strong>.polluted": "yes"
};
// Processing the payload pollutes the prototype
const messages = mf.compile(maliciousPayload);
// Check if the prototype is polluted
console.log(({}).polluted); // Outputs: 'yes'
How Exploit:
Attackers craft malicious input with `__proto__` or `constructor` keys to pollute the base object prototype, causing application-wide disruption or code execution.
Protection from this CVE
Upgrade to messageformat version 3.0.1 or later. Implement input validation to reject keys containing __proto__, constructor, or prototype.
Impact:
Denial of Service, Arbitrary Code Execution, Application Behavior Manipulation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
