Django-Unicorn Python Class Pollution Vulnerability Leading to XSS, DoS, and Authentication Bypass

A class pollution vulnerability has been identified in Django-Unicorn, a library that adds reactive component functionality to Django templates. This vulnerability affects versions prior to 0.61.0 and arises from the 'set_property_value' function, which can be remotely triggered by users. By crafting specific component requests and manipulating the second and third parameters of this function, users can make arbitrary changes to the Python runtime. Exploitation of this vulnerability has consistently resulted in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in nearly all Django-Unicorn-based applications.

Impact

Exploitation of this vulnerability allows for Python class pollution, leading to unauthorized modifications of the Python runtime. This can be exploited to bypass authentication mechanisms, cause denial-of-service conditions by crashing the application, and execute cross-site scripting attacks by injecting malicious scripts that are executed in the context of the user's browser.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/unicorn/message/COMPONENT_NAME' endpoint. The request must include an 'actionQueue' with a 'syncInput' type, and the 'payload' must specify the 'name' as the targeted property path and the 'value' as the injected payload. This manipulation can traverse the Python runtime using magic attributes to access and modify global objects, depending on the exploitation method.

Remediation

Users are advised to upgrade to Django-Unicorn version 0.62.0 or later, where this vulnerability has been patched.