Overview
Prototype pollution vulnerability in ‘dotty’ versions 0.0.1 through 0.1.0 allows attacker to cause a denial of service and may lead to remote code execution.
Details
The NPM module `dotty` can be abused by Prototype Pollution vulnerability since the function `put()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to denial of service or potentially remote code execution.
PoC Details
The `put()` function accepts `object, path, value` arguments. Due to the absence of validation on the values passed into `path, value` an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted.
PoC Code
var dotty = require("dotty")
var obj = {} console.log("Before : " + {}.polluted);
dotty.put(obj, '__proto__.polluted', 'Yes! Its Polluted');
console.log("After : " + {}.polluted);
Affected Environments
0.0.1-0.1.0
Prevention
Upgrade to version 0.1.1