Описание
Conform contains a Prototype Pollution Vulnerability in parseWith... function
Summary
Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.
PoC
Details
The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:
This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.
Impact
Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.
Ссылки
- https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf
- https://nvd.nist.gov/vuln/detail/CVE-2024-32866
- https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de
- https://github.com/edmundhung/conform/commit/cb604dd58b99e2d12716d901a23bfca724e741ef
- https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117
Пакеты
@conform-to/dom
>= 1.0.0, <= 1.1.0
1.1.1
@conform-to/zod
>= 1.0.0, <= 1.1.0
1.1.1
@conform-to/yup
>= 1.0.0, <= 1.1.0
1.1.1
@conform-to/zod
< 0.9.2
0.9.2
@conform-to/yup
< 0.9.2
0.9.2
@conform-to/dom
< 0.9.2
0.9.2
Связанные уязвимости
Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.