Listen to this Post
The vulnerability exists in the `byGroupAndType` function of sassdoc-extras. This function is designed to process and group SassDoc annotation data. The function uses a recursive merge operation without properly validating the keys of the input object. An attacker can exploit this by crafting a malicious annotation object where a key contains special sequences like `__proto__` or constructor.prototype. During the recursive merge, the function does not check if these keys are intended to modify the prototype chain. Consequently, the attacker-controlled properties are injected into the Object.prototype. This pollutes the prototype, meaning every object created in the application will inherit these malicious properties. This can lead to denial of service by altering the behavior of application logic that iterates over object properties or relies on specific object attributes, potentially causing crashes or unexpected terminations.
Platform: Node.js
Version: <=2.5.1
Vulnerability : Prototype Pollution
Severity: Low
date: 2024-09-24
Prediction: Expected Patch Date: 2024-10-08
What Undercode Say:
npm list sassdoc-extras cat node_modules/sassdoc-extras/lib/by-group-and-type.js | grep -A 10 -B 5 "function merge"
// Example of a vulnerable pattern
function merge(target, source) {
for (var prop in source) {
if (prop === '<strong>proto</strong>' || prop === 'constructor') { // Missing check
continue;
}
if (isObject(source[bash])) {
if (!target[bash]) Object.assign(target, {[bash]: {}});
merge(target[bash], source[bash]);
} else {
target[bash] = source[bash];
}
}
}
How Exploit:
An attacker creates a malicious SassDoc comment block with a payload designed to trigger prototype pollution.
{
"group": "test",
"context": {
"name": "<strong>proto</strong>.polluted",
"value": "yes"
}
}
When this data is processed by the vulnerable `byGroupAndType` function, it will add a `polluted` property to Object.prototype.
Protection from this CVE
Upgrade sassdoc-extras to a version above 2.5.1 if a patch is released. Implement input sanitization for all objects processed by the library, specifically validating keys against prototype pollution patterns. Use tools like `NoPollute` or `Object.freeze(Object.prototype)` in development to block pollution attempts.
Impact:
Denial of Service (DoS) by causing application instability. Potential for remote code execution if other vulnerabilities are chained, depending on the application’s codebase.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
