DataTables.net Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in all versions of the DataTables.net package. This issue arises from an incomplete fix for a previous vulnerability, allowing for the injection of properties into JavaScript object prototypes. Such pollution can be exploited to overwrite fundamental attributes, potentially leading to denial-of-service conditions or unauthorized code execution.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into JavaScript object prototypes. This can disrupt the application's normal operation by causing JavaScript exceptions or manipulating the application's code execution flow. In some cases, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, load a webpage that includes jQuery and the DataTables library. Use the DataTables API to set object data in a way that targets the prototype, such as by using a property name that includes 'constructor' or '__proto__'. This will trigger the prototype pollution by injecting the specified values into the object's prototype, which can then be accessed globally.

Remediation

Upgrade to DataTables.net version 1.10.25 or 2.1.2 or higher.