Utile Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the 'utile' library, specifically in version 0.3.0. The issue arises in the 'lib.createPath' function, where attackers can send a crafted payload to manipulate properties within the global prototype chain. This exploitation can cause a denial-of-service condition and potentially lead to other injection-based attacks, depending on how the library is used within the application. For example, if the polluted property affects sensitive Node.js APIs like 'exec' or 'eval', it could allow an attacker to execute arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and introduces the risk of prototype pollution, which could escalate to other injection-based attacks, particularly if the polluted properties interact with sensitive Node.js APIs.

Reproduction

The vulnerability can be reproduced by importing the 'utile' library and calling the 'createPath' function with a payload that includes an Object.prototype setter. This payload will modify the prototype chain, as demonstrated in the provided proof-of-concept code.