Listen to this Post
The vulnerability exists in the `attachToObject` function. This function is responsible for merging user-supplied properties into a target object. The function uses a recursive merge mechanism without properly checking if the target property is the object’s own property or an inherited one from the prototype chain. By crafting a payload with a `__proto__` or `constructor.prototype` property, an attacker can pollute the global Object.prototype. For example, if an attacker submits a JSON object like {"__proto__": {"polluted": "yes"}}, the function will traverse the prototype chain and add the `polluted` property to Object.prototype. Consequently, every new object created in the application will inherit this property, potentially altering the application’s logic or causing a denial of service by introducing unexpected properties that lead to crashes or infinite loops.
Platform: npm
Version: <=1.10.4
Vulnerability : Prototype Pollution
Severity: Low
date: 2025-09-24
Prediction: Patch by 2025-10-01
What Undercode Say:
npm list web3-core-subscriptions
const payload = JSON.parse('{"<strong>proto</strong>":{"isAdmin":true}}');
// A vulnerable function would merge this, polluting the prototype.
console.log({}.isAdmin); // Output: true (after pollution)
How Exploit:
Craft a malicious subscription payload containing the `__proto__` property to inject properties into the base object prototype, leading to application instability or control flow manipulation.
Protection from this CVE
Upgrade the web3-core-subscriptions package to a version beyond 1.10.4. Implement input validation and sanitization to reject objects with prototype-polluting keys. Use libraries like `lodash.merge` safely or objects that are not prototype-pollutable, such as Object.create(null).
Impact:
Denial of Service (DoS) through application crashes or unexpected behavior. Potential for remote code execution if the polluted properties influence sensitive code paths, though this is less likely in this specific module.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
