@zag-js/core Prototype Pollution Vulnerability Leading to Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the @zag-js/core library, specifically in version 0.50.0. This vulnerability allows attackers to manipulate the global prototype chain by supplying a crafted payload, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interfere with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands within the application's context.
Impact
Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more serious injection-based attacks, depending on how the library is used within the application.
Reproduction
To reproduce this vulnerability, import the @zag-js/core library and call the 'deepMerge' function with a payload that includes an Object.prototype setter. This will modify the prototype chain, as demonstrated in the provided proof-of-concept code.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.