GSAP Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the GSAP package, specifically in versions prior to 3.6.0. This vulnerability allows an attacker to inject properties into JavaScript object prototypes, potentially leading to various impacts such as denial of service or remote code execution. The issue arises from the library's handling of JSON input, which can be manipulated to overwrite prototype properties. Exploitation of this vulnerability is possible in web applications, web servers, and certain application server environments.

Impact

Exploitation of this vulnerability allows for prototype pollution, where injected properties can disrupt the application's JavaScript execution. This can cause a denial of service by triggering exceptions or, in some cases, lead to remote code execution by manipulating object prototypes in a way that executes arbitrary code.

Reproduction

To reproduce this vulnerability, use a version of the GSAP library prior to 3.6.0. The vulnerability can be demonstrated by calling the 'gsap.config' method with a payload that includes a '__proto__' property. This payload will pollute the JavaScript prototype, injecting a 'polluted' property that can be accessed and verified, such as by using 'document.write' to output the polluted value.

Remediation

Upgrade GSAP to version 3.6.0 or higher.