dref Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the dref package version 0.1.2. This issue arises in the lib.set function, where attackers can supply a crafted payload to modify properties within the global prototype chain. The immediate consequence of this vulnerability is a denial-of-service condition, but it could also lead to other injection-based attacks, depending on how the library is used within an application. For example, if the polluted property affects sensitive Node.js APIs like exec or eval, it could allow an attacker to execute arbitrary commands in the application's context.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject or modify properties in the global prototype chain. This could disrupt the application's normal behavior, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interact with sensitive Node.js APIs, it could enable more severe exploits, such as executing arbitrary commands.

Reproduction

To reproduce this vulnerability, use the dref package version 0.1.2. The vulnerability can be demonstrated by importing the dref library and using the 'lib.set' function to modify the '__proto__' property of an object. This action injects a new property into the prototype, which can be verified by checking the prototype's properties before and after the modification. The deletion of the injected property can restore the prototype to its original state.