node-opcua-alarm-condition Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in node-opcua-alarm-condition version 2.134.0. The issue arises in the fieldsToJson function, where attackers can send a crafted payload to manipulate properties in the global prototype chain. This exploitation causes at least a denial-of-service condition, and could potentially lead to other injection-based attacks if the polluted properties interact with sensitive Node.js APIs.

Impact

Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of other injection-based attacks, depending on how the library is used within the application. For example, if the polluted property is passed to sensitive Node.js APIs like exec or eval, it could allow an attacker to execute arbitrary commands in the application's context.

Reproduction

The vulnerability can be reproduced by importing the node-opcua-alarm-condition library and calling the fieldsToJson function with a payload that includes an Object.prototype setter. This action will modify the prototype of an object, as demonstrated in the proof-of-concept code.