Описание
locutus is vulnerable to Prototype Pollution
Summary
A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.
Details
The vulnerability resides in line 77 to 79 of https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js where includes() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
- Install latest version of locutus using npm install or cloning from git
- Run the following code snippet:
Expected behavior
Prototype Pollution should be prevented and {} should not gain new properties. This should be printed on the console:
Actual behavior
Object.prototype is polluted This is printed on the console:
Impact
This is a Prototype Pollution vulnerability, which can have severe security implications depending on how locutus is used by downstream applications. Any application that processes attacker-controlled input using this locutus.php.strings.parse_str may be affected. It could potentially lead to the following problems:
- Authentication bypass
- Denial of service
- Remote code execution (if polluted property is passed to sinks like eval or child_process)
Пакеты
locutus
>= 2.0.12, < 2.0.39
2.0.39
Связанные уязвимости
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.