Carboneio Carbone Prototype Pollution Vulnerability in Formatter Handler

A prototype pollution vulnerability has been identified in Carboneio Carbone versions prior to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. The issue resides in an unknown function within the file lib/input.js, specifically related to the Formatter Handler component. This vulnerability allows for the improper modification of object prototype attributes, which can be exploited remotely. The attack is characterized by high complexity and difficulty in execution. Notably, successful exploitation can only occur if the parent NodeJS application is also affected by a similar vulnerability.

Impact

Exploitation of this vulnerability leads to prototype pollution, allowing an attacker to manipulate the object's prototype and potentially inject malicious behavior into the application.

Reproduction

The vulnerability can be reproduced by creating a NodeJS application that uses an affected version of Carboneio Carbone. Inject code through the formatters that exploits the prototype pollution vulnerability by modifying the '__proto__' attribute of an object, which can then be used to execute arbitrary code or manipulate the application in unintended ways.

Remediation

Users are advised to upgrade to Carboneio Carbone version 3.5.6, which addresses the prototype pollution vulnerability in the Formatter Handler component. The patched version is available for download on the Carboneio GitHub Releases page.