xe-utils Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the xe-utils library, specifically in version 3.5.31. The issue arises in the 'lib.merge' function, where attackers can supply a crafted payload to introduce or modify properties within the global prototype chain. This manipulation can cause a denial-of-service condition and potentially escalate to other injection-based attacks, depending on how xe-utils is integrated within the application. For example, if the polluted property affects sensitive Node.js APIs like 'exec' or 'eval', it could allow execution of arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability leads to prototype pollution, causing a denial-of-service condition at a minimum. However, it could also allow for other injection-based attacks, particularly if the polluted prototype interacts with sensitive Node.js APIs.

Reproduction

The vulnerability can be reproduced by importing the xe-utils library and using the 'lib.merge' or 'lib.set' functions to inject a payload into the '__proto__' property of an object. This payload can then be used to manipulate the prototype chain, as demonstrated in the provided proof-of-concept code.