Listen to this Post
How the mentioned CVE works:
The vulnerability exploits prototype pollution in NocoDB’s deepMerge function within dataUtils.ts. This function recursively merges objects without sanitizing dangerous keys like proto, constructor, and prototype. An authenticated user with org-level-creator permissions can send a crafted payload to the /api/v2/meta/connection/test endpoint. This endpoint passes user-controlled input directly to deepMerge. For example, sending {“proto“: {“super”: true}} pollutes Object.prototype by adding a “super” property. This pollution affects all plain objects in the Node.js process, causing all database write operations to fail application-wide. The failure occurs because the polluted prototype interferes with normal object operations. Although the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed since database operations fail immediately after pollution. The server requires a restart to clear the prototype pollution and restore functionality, impacting all users until then.
Platform: NocoDB
Version: Unknown
Vulnerability: Prototype Pollution
Severity: Critical
date: Unknown
Prediction: Patch date unknown
What Undercode Say:
Analytics:
Bash command to exploit:
curl -X POST https://target.com/api/v2/meta/connection/test -H “Authorization: Bearer
Vulnerable deepMerge code:
export const deepMerge = (target: any, …sources: any[]) => {
Object.keys(source).forEach((key) => {
if (isMergeableObject(source[bash])) {
if (!target[bash]) target[bash] = Array.isArray(source[bash]) ? [] : {};
deepMerge(target[bash], source[bash]);
} else {
target[bash] = source[bash];
}
});
};
Endpoint code snippet:
config = await integration.getConfig();
deepMerge(config, body);
How Exploit:
Send polluted payload.
Protection from this CVE
Sanitize merge keys.
Impact:
Database writes fail.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

