Listen to this Post
The vulnerability exists in the `set` and `config` functions of spmrc versions 1.2.0 and earlier. These functions are responsible for managing configuration settings. Prototype pollution occurs because these functions do not properly validate user input when recursively setting nested properties. An attacker can supply a specially crafted payload, such as a string containing `__proto__` or `constructor.prototype` as a key within a configuration object. When this payload is processed, the function traverses the prototype chain incorrectly. Instead of setting the property on the target object itself, it modifies the global Object.prototype. This pollutes all objects in the application, as they inherit from this prototype. The immediate consequence can be a Denial of Service (DoS) if injected properties conflict with existing application logic, causing crashes or unexpected behavior.
Platform: Node.js
Version: <=1.2.0
Vulnerability : Prototype Pollution
Severity: Low
date: 2025-09-24
Prediction: Patch by 2025-10-08
What Undercode Say:
npm list spmrc
cat payload.json
{
"<strong>proto</strong>.polluted": "yes"
}
node -e "const spmrc = require('spmrc'); spmrc.config(require('./payload.json')); console.log({}.polluted);"
How Exploit:
An attacker crafts a malicious configuration file or API request payload containing prototype pollution keys. When this payload is loaded by an application using the vulnerable spmrc library, the `Object.prototype` is modified. This can be used to disrupt application functionality by overriding built-in object methods or properties, leading to a Denial of Service.
Protection from this CVE:
Upgrade spmrc to a version beyond 1.2.0 once a patch is available. As an immediate mitigation, sanitize all input objects by using libraries like `hoek` or implementing custom validation to block keys containing __proto__, constructor, or prototype. Freeze `Object.prototype` using `Object.freeze(Object.prototype)` in the application entry point to prevent pollution.
Impact:
Denial of Service (DoS) is the primary impact. By polluting the base object prototype, application stability is compromised, potentially causing crashes or unresponsive states. The severity is low because it requires control over input to the vulnerable functions and typically does not lead to remote code execution in this specific instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
