utils-extend Prototype Pollution Vulnerability in Version 1.0.8

A prototype pollution vulnerability has been identified in the utils-extend library, specifically in version 1.0.8. This vulnerability allows an attacker to manipulate the global prototype chain by supplying a payload with an Object.prototype setter. The immediate consequence is a denial-of-service (DoS) condition, but this vulnerability could also lead to more severe injection-based attacks, depending on how the library is used within an application. For example, if a polluted property is passed to sensitive Node.js APIs like exec or eval, it could allow an attacker to execute arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can disrupt the application's prototype chain. This could lead to a denial-of-service condition and potentially facilitate other injection-based attacks, especially if the polluted prototype interacts with sensitive Node.js APIs.

Reproduction

To reproduce this vulnerability, import the utils-extend library and create an object. Before applying the prototype pollution, log the object's prototype to show its initial state. Then, use the 'extend' function from the utils-extend library to add a property to the object's prototype, effectively polluting it. After the pollution, log the prototype again to demonstrate the change. Finally, remove the polluted property to clean up.