|2 via 2 paths|
Find, fix and prevent vulnerabilities in your code.
- Vulnerable module: domify
- Introduced through: firstname.lastname@example.org
Introduced through: email@example.com › firstname.lastname@example.org › email@example.com › firstname.lastname@example.org
domify is a turn HTML into DOM elements
Affected versions of this package are vulnerable to Prototype Pollution via the
parse function. This can lead to XSS.
There are two main ways in which the pollution of prototypes occurs:
- Property definition by path
Unsafe Object recursive merge
The logic of a vulnerable recursive merge function follows the following high-level model:
merge (target, source) foreach property of source if property exists and is an object on both the target and the source merge(target[property], source[property]) else target[property] = source[property]
When the source object contains a property named
_proto_ defined with
Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of
Object and the source of
Object as defined by the attacker. Properties are then copied on the
Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object:
Hoek are examples of libraries susceptible to recursive merge attacks.
Property definition by path
theFunction(object, path, value)
If the attacker can control the value of “path”, they can set this value to
myValue is then assigned to the prototype of the class of the object.
Types of attacks
There are a few methods by which Prototype Pollution can be manipulated:
|Denial of service (DoS)||Client||This is the most likely attack.
DoS occurs when
The attacker pollutes
For example: if an attacker pollutes
|Remote Code Execution||Client||Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
|Property Injection||Client||The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for
The following environments are susceptible to a Prototype Pollution attack:
- Application server
- Web server
How to prevent
- Freeze the prototype— use
- Require schema validation of JSON input.
- Avoid using unsafe recursive merge functions.
- Consider using objects without prototypes (for example,
Object.create(null)), breaking the prototype chain and preventing pollution.
- As a best practice use
For more information on this vulnerability type:
domify to version 1.4.1 or higher.
- Vulnerable module: concat-stream
- Introduced through: email@example.com
Introduced through: firstname.lastname@example.org › email@example.com › firstname.lastname@example.org › email@example.com
concat-stream is writable stream that concatenates strings or binary data and calls a callback with the result.
Affected versions of the package are vulnerable to Uninitialized Memory Exposure.
A possible memory disclosure vulnerability exists when a value of type
number is provided to the
stringConcat() method and results in concatenation of uninitialized memory to the stream collection.
This is a result of unobstructed use of the
Buffer constructor, whose insecure default constructor increases the odds of memory leakage.
Buffer class with integer
N creates a
Buffer of length
N with raw (not "zero-ed") memory.
In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":
// uninitialized Buffer of length 100 x = new Buffer(100); // initialized Buffer with value of '100' x = new Buffer('100');
stringConcat function uses the default
Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous
Heartbleed flaw in OpenSSL.
You can read more about the insecure
Buffer behavior on our blog.
concat-stream to version 1.5.2 or higher.
Note This is vulnerable only for Node <=4