NocoDB, Prototype Pollution, Critical

Listen to this Post

How the mentioned CVE works:

The vulnerability exploits prototype pollution in NocoDB’s deepMerge function within dataUtils.ts. This function recursively merges objects without sanitizing dangerous keys like proto, constructor, and prototype. An authenticated user with org-level-creator permissions can send a crafted payload to the /api/v2/meta/connection/test endpoint. This endpoint passes user-controlled input directly to deepMerge. For example, sending {“proto“: {“super”: true}} pollutes Object.prototype by adding a “super” property. This pollution affects all plain objects in the Node.js process, causing all database write operations to fail application-wide. The failure occurs because the polluted prototype interferes with normal object operations. Although the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed since database operations fail immediately after pollution. The server requires a restart to clear the prototype pollution and restore functionality, impacting all users until then.
Platform: NocoDB
Version: Unknown
Vulnerability: Prototype Pollution
Severity: Critical
date: Unknown

Prediction: Patch date unknown

What Undercode Say:

Analytics:

Bash command to exploit:

curl -X POST https://target.com/api/v2/meta/connection/test -H “Authorization: Bearer ” -d ‘{“proto“: {“super”: true}}’

Vulnerable deepMerge code:

export const deepMerge = (target: any, …sources: any[]) => {

Object.keys(source).forEach((key) => {

if (isMergeableObject(source[bash])) {

if (!target[bash]) target[bash] = Array.isArray(source[bash]) ? [] : {};

deepMerge(target[bash], source[bash]);

} else {

target[bash] = source[bash];

}

});

};

Endpoint code snippet:

config = await integration.getConfig();

deepMerge(config, body);

How Exploit:

Send polluted payload.

Protection from this CVE

Sanitize merge keys.

Impact:

Database writes fail.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top