GHSA-M34P-749J-X6M6

Vulnerability from github – Published: 2026-06-26 22:49 – Updated: 2026-06-26 22:49
VLAI
Summary
js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Details

Summary

js-toml's interpreter checks whether a key already exists in a parser-built container with if (object[key]) instead of if (key in object). When the prior value is a falsy primitive — false, 0, 0n, 0.0, -0, or "" — the duplicate-key branch is skipped and the value is silently overwritten by a later sub-table, dotted-key sub-table, or array-of-tables sharing the same name. Per the TOML 1.0.0 spec ("Defining a key multiple times is invalid"; "You cannot define any key or table more than once"), this should be a parse error.

The result is structural type confusion of attacker-named keys in the value returned by load(). A boolean-typed false (or numeric 0) becomes a truthy object. Host applications that gate behavior on if (config.flag), if (!user.banned), if (config.allowDelete), or if (config.publicMode) will silently take the truthy branch.

This is distinct from GHSA-65fc-cr5f-v7r2 (the 1.0.2 prototype-pollution fix). Object.prototype is not polluted. The Object.create(null) mitigation from 1.0.2 is intact; the bug here is in the duplicate-key state machine, not in container construction.

Details

Two truthy checks are wrong:

src/load/interpreter.ts:214Interpreter.tryCreatingObject

if (object[key]) {            // falsy primitives slip through
    // duplicate-key logic
} else {
    object[key] = createSafeObject();   // silently overwrites the prior falsy value
    ...
}

src/load/interpreter.ts:278Interpreter.getOrCreateArray

if (object[first] && !Array.isArray(object[first])) {   // same flaw
    throw new DuplicateKeyError();
}
object[first] = object[first] || [];   // overwrites the prior falsy value

Both should use the in operator. Containers are created via Object.create(null), so in is unambiguous (no inherited keys to worry about).

The bug is reachable through every parent-walking interpreter path:

  • assignValue — dotted keys in key = value
  • createTable[stdTable] headers
  • getOrCreateArray[[arrayOfTables]] headers

PoC

isAdmin = false
[isAdmin]
forced = "yes"
import { load } from 'js-toml';

const config = load(`
isAdmin = false
[isAdmin]
forced = "yes"
`);

console.log(JSON.stringify(config));
// {"isAdmin":{"forced":"yes"}}

console.log(config.isAdmin ? 'BYPASS' : 'safe');
// BYPASS

if (config.isAdmin) {
  // attacker reaches admin-only code
}

Impact

Spec-violating input acceptance leading to structural type confusion. (CWE-697)

Suggested fix

in src/load/interpreter.ts

export class Interpreter extends BaseCstVisitor {
     ignoreImplicitDeclared,
     ignoreExplicitDeclared
   ) {
-    if (object[key]) {
+    if (key in object) {
       if (
         !isPlainObject(object[key]) ||
         (!ignoreExplicitDeclared &&
export class Interpreter extends BaseCstVisitor {
       return this.getOrCreateArray(keys, object[first], idx + 1);
     }

-    if (object[first] && !Array.isArray(object[first])) {
+    if (first in object && !Array.isArray(object[first])) {
       throw new DuplicateKeyError();
     }

     object[first] = object[first] || [];
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "js-toml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T22:49:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`js-toml`\u0027s interpreter checks whether a key already exists in a parser-built container with `if (object[key])` instead of `if (key in object)`. When the prior value is a falsy primitive \u2014 `false`, `0`, `0n`, `0.0`, `-0`, or `\"\"` \u2014 the duplicate-key branch is skipped and the value is silently overwritten by a later sub-table, dotted-key sub-table, or array-of-tables sharing the same name. Per the TOML 1.0.0 spec (\"Defining a key multiple times is invalid\"; \"You cannot define any key or table more than once\"), this should be a parse error.\n\nThe result is **structural type confusion of attacker-named keys** in the value returned by `load()`. A boolean-typed `false` (or numeric `0`) becomes a truthy object. Host applications that gate behavior on `if (config.flag)`, `if (!user.banned)`, `if (config.allowDelete)`, or `if (config.publicMode)` will silently take the truthy branch.\n\nThis is **distinct** from [GHSA-65fc-cr5f-v7r2](https://github.com/sunnyadn/js-toml/security/advisories/GHSA-65fc-cr5f-v7r2) (the 1.0.2 prototype-pollution fix). `Object.prototype` is **not** polluted. The `Object.create(null)` mitigation from 1.0.2 is intact; the bug here is in the duplicate-key state machine, not in container construction.\n\n### Details\n\nTwo truthy checks are wrong:\n\n`src/load/interpreter.ts:214` \u2014 `Interpreter.tryCreatingObject`\n\n```js\nif (object[key]) {            // falsy primitives slip through\n    // duplicate-key logic\n} else {\n    object[key] = createSafeObject();   // silently overwrites the prior falsy value\n    ...\n}\n```\n\n`src/load/interpreter.ts:278` \u2014 `Interpreter.getOrCreateArray`\n\n```js\nif (object[first] \u0026\u0026 !Array.isArray(object[first])) {   // same flaw\n    throw new DuplicateKeyError();\n}\nobject[first] = object[first] || [];   // overwrites the prior falsy value\n```\n\nBoth should use the `in` operator. Containers are created via `Object.create(null)`, so `in` is unambiguous (no inherited keys to worry about).\n\nThe bug is reachable through every parent-walking interpreter path:\n\n- `assignValue` \u2014 dotted keys in `key = value`\n- `createTable` \u2014 `[stdTable]` headers\n- `getOrCreateArray` \u2014 `[[arrayOfTables]]` headers\n\n### PoC\n\n```toml\nisAdmin = false\n[isAdmin]\nforced = \"yes\"\n```\n\n```js\nimport { load } from \u0027js-toml\u0027;\n\nconst config = load(`\nisAdmin = false\n[isAdmin]\nforced = \"yes\"\n`);\n\nconsole.log(JSON.stringify(config));\n// {\"isAdmin\":{\"forced\":\"yes\"}}\n\nconsole.log(config.isAdmin ? \u0027BYPASS\u0027 : \u0027safe\u0027);\n// BYPASS\n\nif (config.isAdmin) {\n  // attacker reaches admin-only code\n}\n```\n\n### Impact\n\nSpec-violating input acceptance leading to structural type confusion. (CWE-697)\n\n### Suggested fix\n\nin `src/load/interpreter.ts`\n\n```diff\nexport class Interpreter extends BaseCstVisitor {\n     ignoreImplicitDeclared,\n     ignoreExplicitDeclared\n   ) {\n-    if (object[key]) {\n+    if (key in object) {\n       if (\n         !isPlainObject(object[key]) ||\n         (!ignoreExplicitDeclared \u0026\u0026\n```\n```diff\nexport class Interpreter extends BaseCstVisitor {\n       return this.getOrCreateArray(keys, object[first], idx + 1);\n     }\n\n-    if (object[first] \u0026\u0026 !Array.isArray(object[first])) {\n+    if (first in object \u0026\u0026 !Array.isArray(object[first])) {\n       throw new DuplicateKeyError();\n     }\n\n     object[first] = object[first] || [];\n```",
  "id": "GHSA-m34p-749j-x6m6",
  "modified": "2026-06-26T22:49:28Z",
  "published": "2026-06-26T22:49:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sunnyadn/js-toml/security/advisories/GHSA-m34p-749j-x6m6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sunnyadn/js-toml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "js-toml has silent type confusion via falsy-primitive duplicate-key bypass"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…