janryWang depath and cool-path Prototype Pollution Vulnerability Allowing Arbitrary Code Execution or Denial-of-Service

A prototype pollution vulnerability has been identified in janryWang's depath version 1.0.6 and cool-path version 1.1.2. The issue arises in the 'set()' method of 'lib/index.js' at line 90, where properties are unsafely assigned, allowing attackers to inject arbitrary properties. This vulnerability can be exploited to execute arbitrary code or cause a denial-of-service by manipulating built-in Object properties such as '__proto__' or 'constructor.prototype'.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the Object prototype. This can lead to various impacts depending on the injected properties, such as disrupting application logic, causing a denial-of-service, or in some cases, allowing remote code execution or cross-site scripting attacks.

Reproduction

The vulnerability can be reproduced by importing the 'depath' or 'cool-path' library and using the 'setIn' method to inject a property into the '__proto__' of a victim object. This can be done by assigning a value to '__proto__.polluted', which will then be reflected in the prototype, demonstrating successful exploitation.

Remediation

Users are advised to implement proper sanitization and validation of inputs to prevent exploitation. This includes blocking inputs that contain '__proto__' or 'constructor.prototype'.