Listen to this Post
The CVE-2025-1234 vulnerability in `expand-object` (versions 0.0.0 to 0.4.2) allows prototype pollution via the `expand()` function in index.js. This function processes a string input to dynamically create nested object properties. Due to insufficient validation, attackers can inject malicious properties like `__proto__` or constructor, modifying the prototype of base objects. When user-controlled input is passed to expand(), an attacker can pollute the global object prototype, leading to denial of service, privilege escalation, or remote code execution depending on application context. The lack of sanitization in key assignment enables this exploit, affecting any application using `expand-object` for dynamic object manipulation.
DailyCVE Form:
Platform: Node.js
Version: 0.0.0-0.4.2
Vulnerability: Prototype Pollution
Severity: Moderate
Date: 2025-04-04
What Undercode Say:
Exploitation:
1. Craft a malicious payload:
const expand = require('expand-object');
expand('<strong>proto</strong>.polluted=true');
console.log({}.polluted); // true
2. Exploit via HTTP request if input is user-controlled:
app.post('/expand', (req, res) => {
const obj = expand(req.body.input); // Vulnerable
});
Protection:
1. Freeze `Object.prototype`:
Object.freeze(Object.prototype);
2. Use `Object.create(null)` for safe objects:
const safeObj = Object.create(null);
3. Validate input keys with a denylist:
function safeExpand(input) {
if (input.includes('<strong>proto</strong>') || input.includes('constructor')) {
throw new Error('Invalid key');
}
return expand(input);
}
Detection:
1. Check installed version:
npm list expand-object
2. Scan with `npm audit`:
npm audit
Mitigation:
1. Upgrade to patched version (if available):
npm install expand-object@latest
2. Replace `expand-object` with safer alternatives like `lodash.set`.
References:
References:
Reported By: https://github.com/advisories/GHSA-4vjr-hfpp-2m7w
Extra Source Hub:
Undercode
