Among them, the parseNested make argument flatten."Ī sample payload that can trigger Prototype Pollution
Posix, the security researcher who discovered this flaw explains in a blog post, "The express-fileupload module provides several options for uploading and managing files in the application.
When enabled, the "parseNested" option is responsible for "flattening" the uploaded JSON data into nested objects. The actual attack is made possible because of the "parseNested" feature provided by express-fileupload. Prototyping attacks such as this one leverage this 'design flaw' by injecting incompatible types of objects into existing ones to cause errors, leading to Denial of Service (DoS) at the very least, if not remote shell access.
Nodejs download code#
The ability to modify existing code is an intended feature that allows for the easy extension of the existing objects, with more properties and methods. Because JS is a prototype-based language, every object, function, and data structure in the language has an inherent "Prototype" property that can be modified via the "_proto_" mutator. This type of vulnerability, known as 'Prototype Pollution,' typically occur in JavaScript (JS) code due to the fundamental nature of the language. The estimate is conservative as it does not take into account downloads from GitHub, mirror websites, and other cloned repositories.
A Node.js module downloaded millions of times has a security flaw that can enable attackers to perform a denial-of-service (DoS) attack on a server or get full-fledged remote shell access.Īssigned CVE-2020-7699, the vulnerability lies in the " express-fileupload" npm component, which has been downloaded at least 7.3 million times from npm.
0 kommentar(er)
