vxe-table Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in vxe-table version 4.8.10. This issue arises in the lib.install and lib.setup functions, where attackers can supply a crafted payload to manipulate properties within the global prototype chain. The immediate consequence of this vulnerability is a denial-of-service, but it could also lead to other injection-based attacks, particularly if the polluted properties interact with sensitive Node.js APIs, such as exec or eval, allowing for the execution of arbitrary commands within the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service, with the potential for more severe injection-based attacks if the prototype pollution affects sensitive Node.js APIs.

Reproduction

The vulnerability can be reproduced by importing the vxe-table library and using the lib.install or lib.setup functions. A payload must be crafted to include an Object.prototype setter, which will introduce or modify properties in the global prototype chain. After the payload is applied, the polluted property can be observed, demonstrating the successful exploitation of the vulnerability.