expand-object Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the expand-object package, affecting all versions starting from 0.0.0. The issue arises in the expand() function, where the package expands a given string into an object. This process allows nested properties to be set without properly validating the keys for sensitive properties like __proto__, leading to potential injection of malicious prototypes.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into JavaScript object prototypes. This can disrupt the application's prototype chain, potentially causing a denial-of-service by triggering JavaScript exceptions, or manipulating the application code to execute injected payloads, leading to remote code execution.

Reproduction

To reproduce this vulnerability, use the expand-object package version 0.0.0 or later. The expand() function can be called with a string that includes a path to a sensitive property, such as __proto__. This will inject a property into the object's prototype, which can then be accessed and exploited.