Listen to this Post
The vulnerability in toggle-array v1.0.1 and prior exists within the `enable` and `disable` functions. These functions are designed to toggle a property on a specific object within an array. However, they fail to properly validate the target object. By crafting a malicious payload where the `index` parameter points to `__proto__` or constructor.prototype, an attacker can manipulate the attributes of the `Object.prototype` itself. This is achieved because the function unsafely uses this user-controlled index to access and modify properties on the target object. When properties are injected into the prototype, all objects inheriting from `Object.prototype` are affected, potentially leading to a denial-of-service by causing unexpected application behavior or crashes.
Platform: npm
Version: <=1.0.1
Vulnerability: Prototype Pollution
Severity: Low
date: 2025-09-24
Prediction: Patch by 2025-10-01
What Undercode Say:
npm list toggle-array
const toggleArray = require('toggle-array');
let arr = [{}, {}];
// Malicious payload polluting the prototype
toggleArray.enable(arr, '<strong>proto</strong>', "polluted");
console.log({}.polluted); // Outputs: "polluted"
How Exploit:
Craft a request or input where the target index is `__proto__` or `constructor.prototype` with a property name and value. When processed by the vulnerable `enable` or `disable` function, this property is injected into Object.prototype, affecting all objects in the application.
Protection from this CVE:
Upgrade toggle-array package beyond version 1.0.1. Implement input validation to sanitize object indices, rejecting keys like `__proto__` and prototype. Use objects created with `Object.create(null)` which have no prototype.
Impact:
Denial of Service (DoS) by causing application instability. Potential for remote code execution if other code paths use polluted properties in dangerous ways.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
