Aliconnect SDK Prototype Pollution Vulnerability Allowing Arbitrary Code Execution

A prototype pollution vulnerability has been identified in the Aliconnect SDK version 0.0.6. This issue allows an attacker to execute arbitrary code by injecting a malicious object into the aim function of the aim.js component. The vulnerability arises from a lack of validation on user-controllable input, which can be exploited to modify the behavior of the program.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can lead to arbitrary code execution.

Reproduction

To reproduce this vulnerability, load the Aliconnect SDK and parse a JSON object that includes a prototype modification, such as adding a 'polluted' property. Then, pass this object to the aim function in the aim.js component. After the function executes, check the prototype of a new object to see if the pollution was successful by verifying the presence of the 'polluted' property.

Remediation

To mitigate this vulnerability, freeze the object prototype, validate JSON inputs, use Map instead of Object, or create objects without a prototype to break the prototype chain.