cli-util Prototype Pollution Vulnerability Leading to Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the 'lib.merge' function of 'cli-util' version 1.1.27. This vulnerability allows attackers to supply a crafted payload that modifies properties within the global prototype chain, potentially leading to a denial-of-service condition. Furthermore, depending on how 'cli-util' is integrated into an application, this vulnerability could escalate to other injection-based attacks, such as executing arbitrary commands through sensitive Node.js APIs like 'exec' or 'eval'.
Impact
Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of other injection-based attacks, depending on the application's use of the 'cli-util' library'.
Reproduction
The vulnerability can be reproduced by importing the 'cli-util' library and using the 'lib.merge' function to merge an object that includes a prototype pollution payload, such as one that adds a property to 'Object.prototype', with a target object. After the merge, the polluted prototype can be observed, indicating that the vulnerability has been successfully exploited.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.