Canvg Prototype Pollution Vulnerability Allowing Arbitrary Code Execution

A prototype pollution vulnerability has been identified in Canvg version 4.0.2. This issue allows attackers to execute arbitrary code by manipulating the input to the 'StyleElement' constructor, which can lead to injecting or altering properties within the global prototype chain. Such exploitation could facilitate other injection-based attacks, especially if the library interacts with sensitive Node.js APIs like 'exec' or 'eval', potentially allowing execution of arbitrary commands within the application's context.

Impact

Exploitation of this vulnerability allows for prototype pollution, which could be leveraged to execute arbitrary code, particularly if the application uses sensitive Node.js APIs that could execute commands.

Reproduction

The vulnerability can be reproduced by creating a 'StyleElement' instance with a crafted CSS input that includes prototype pollution payloads. This can be done by mocking the necessary document and node objects, and then injecting the malicious CSS into the 'StyleElement' constructor. The successful pollution can be verified by checking for the presence of the injected properties on the global prototype.

Remediation

Users can upgrade to Canvg version 4.0.3 or version 3.0.11 to address this vulnerability.