Alizeait Unflatto Prototype Pollution Vulnerability Allowing Arbitrary Code Execution or Denial-of-Service

A prototype pollution vulnerability has been identified in the Alizeait Unflatto module, affecting versions through 1.0.2. The issue arises in the method 'exports.unflatto' within 'dist/index.js', where unsafely assigned properties can be exploited to inject arbitrary data. This vulnerability could lead to the execution of arbitrary code or cause a denial-of-service condition by manipulating the application's prototype chain.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can be leveraged to execute arbitrary code, cause a denial-of-service condition, or potentially conduct cross-site scripting attacks.

Reproduction

The vulnerability can be reproduced by importing the Unflatto library and calling the 'unflatto' method with a payload that includes a crafted '__proto__' property. This injection will pollute the prototype of the victim object, demonstrating the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, ensure that property assignments only involve the object's own properties. Implement checks to prevent the assignment of special property names such as '__proto__' or 'constructor'.