jszip Prototype Pollution Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the jszip package, affecting versions prior to 3.7.0. The issue arises when a zip file is created with filenames that correspond to Object prototype values, such as __proto__ or toString. This manipulation results in an object with a altered prototype, which can disrupt normal functionality. The vulnerability can be exploited by crafting a zip file that includes these prototype-related filenames, causing the jszip library to process the file in a way that modifies the object's prototype and potentially leads to application errors or crashes.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the application fails to handle certain object properties correctly, leading to errors. In the context of the jszip library, this can cause the application to crash or behave unexpectedly when it encounters modified prototype values.

Reproduction

The vulnerability can be reproduced by creating a zip file that includes filenames set to Object prototype values, such as 'toString'. When this zip file is processed by the jszip library, it will throw an error because the 'files' property, which is expected to be a standard object, has been altered by the prototype pollution.

Remediation

Users are advised to upgrade the jszip package to version 3.7.1 or higher.