expand-object Prototype Pollution Vulnerability Leading to Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the expand-object library, specifically in version 0.4.2. This vulnerability allows attackers to manipulate the global prototype chain by supplying a crafted payload, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interfere with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands within the application's context.
Impact
Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more serious injection-based attacks, depending on how the library is used within the application.
Reproduction
The vulnerability can be reproduced by importing the expand-object library and using its 'lib' function to send a payload that targets the Object.prototype setter. This action modifies the prototype chain, as demonstrated in a provided proof-of-concept script.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.