parse-git-config Prototype Pollution Vulnerability in Version 3.0.0

A prototype pollution vulnerability has been identified in parse-git-config version 3.0.0. The issue arises in the expandKeys function, where an attacker can manipulate the global prototype chain by supplying a payload. This vulnerability could lead to other injection-based attacks, especially if the modified properties interact with sensitive Node.js APIs, potentially allowing arbitrary command execution within the application's context.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can disrupt the application's prototype chain. This could lead to the introduction or modification of properties that, if propagated to sensitive Node.js APIs, might enable the execution of arbitrary commands in the application's context.

Reproduction

To reproduce this vulnerability, load parse-git-config version 3.0.0 and call the expandKeys function with a configuration object that includes a '__proto__' property. This will trigger the prototype pollution by adding a custom property to the global Object prototype. After the function call, the polluted property can be accessed on the Object prototype, demonstrating that the prototype pollution has occurred.

Remediation

A pull request has been made to address this vulnerability, which can be found in the parse-git-config repository.