Redoc Prototype Pollution Vulnerability Allowing Denial-of-Service

A prototype pollution vulnerability has been identified in Redoc versions through 2.2.0. The issue arises in the 'Module.mergeObjects' function, where the 'mergeObjects' method recursively copies properties from source objects to the destination object. Due to the lack of proper security checks, an attacker can exploit this behavior to inject malicious properties into the built-in 'Object.prototype' using special property names like '__proto__' or 'constructor'. This pollution can disrupt application logic, potentially leading to a denial-of-service condition, remote code execution, or cross-site scripting vulnerabilities.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can disrupt application logic and lead to a denial-of-service condition. According to the issue discussion, this type of vulnerability could also be escalated to remote code execution or cross-site scripting attacks.

Reproduction

The vulnerability can be reproduced by importing the Redoc library and using the 'mergeObjects' method to merge an object that includes a crafted payload targeting the '__proto__' property. This payload can be designed to add a 'polluted' property, which can then be accessed to confirm the successful exploitation of the vulnerability.

Remediation

Users can update to the latest version of Redoc, where this vulnerability has been fixed.