@ndhoule/defaults Prototype Pollution Vulnerability Leading to Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the '@ndhoule/defaults' package, specifically in version 2.0.1. This vulnerability allows attackers to manipulate the global prototype chain by supplying a crafted payload, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interfere with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands within the application's context.
Impact
Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more severe injection-based attacks, depending on how the '@ndhoule/defaults' library is used within the application.
Reproduction
The vulnerability can be reproduced by importing the '@ndhoule/defaults' library and using the 'deep' function to pass an object along with a payload that includes an Object.prototype setter. This action modifies the prototype of the object, demonstrating the prototype pollution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.