php-parser Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in php-parser version 3.2.1, specifically within the lib.combine function. This vulnerability allows attackers to supply a crafted payload that modifies properties in the global prototype chain, potentially leading to a denial-of-service condition. Furthermore, if the polluted properties interact with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more severe injection-based attacks, depending on how the php-parser library is used within the application.

Reproduction

The vulnerability can be reproduced by importing the php-parser library and using the lib.combine function to send a payload that includes an Object.prototype setter. This payload can introduce or modify properties in the global prototype chain. After the payload is processed, the prototype pollution can be observed by checking the __proto__ property of an object, which will reflect the injected changes.