dot-properties Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the dot-properties library, specifically in version 1.0.1. The issue arises in the 'lib.parse' function, where attackers can send a crafted payload to manipulate properties in the global prototype chain. This exploitation causes at least a denial-of-service condition. Furthermore, depending on the library's use within an application, this vulnerability could lead to more severe injection-based attacks, such as executing arbitrary commands through sensitive Node.js APIs like 'exec' or 'eval'.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can disrupt the application's prototype chain. This interference can cause a denial-of-service condition and potentially facilitate other injection-based attacks, depending on the application's context and how it handles the polluted prototype.

Reproduction

To reproduce this vulnerability, use dot-properties version 1.0.1 and call the 'lib.parse' function with a payload that includes an Object.prototype setter. This will introduce a new property into the prototype, which can be verified by checking the prototype of an object before and after the function call. The addition of the property can disrupt the application's functionality and, if the polluted property is used with certain Node.js APIs, could lead to more serious consequences, such as arbitrary code execution.

Remediation

Users are advised to upgrade to dot-properties version 1.0.2 or later, where this vulnerability has been addressed.