@rpldy Uploader Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the @rpldy/uploader package, specifically in version 1.8.1. This vulnerability allows attackers to manipulate the global prototype chain by supplying a crafted payload, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interact with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands within the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more serious injection-based attacks, depending on how the library is used within the application.

Reproduction

The vulnerability can be reproduced by importing the @rpldy/uploader library and using the createUploader function. A payload must be crafted to include an Object.prototype setter, which will introduce or modify properties in the global prototype chain. After the payload is processed, the polluted prototype can be observed, confirming the successful exploitation of the vulnerability.