Radashi Prototype Pollution Vulnerability in Set Function

A prototype pollution vulnerability has been identified in the Radashi TypeScript utility toolkit, affecting versions prior to 12.5.1. The issue arises in the set function, where an attacker can manipulate the path argument to alter the prototype of all objects in the JavaScript runtime. This could result in unexpected behavior, denial of service, or, in certain scenarios, remote code execution.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify the prototype of all objects in the JavaScript runtime. This could lead to various consequences, including unexpected application behavior, denial of service, or remote code execution in specific situations.

Reproduction

The vulnerability can be reproduced by using the set function and providing a path argument that includes '__proto__', 'prototype', or 'constructor'. The function will throw an error if these keys are detected, indicating that the prototype pollution vulnerability has been successfully exploited.

Remediation

Users should upgrade to Radashi version 12.5.1 or later, which includes a patch for this vulnerability. The patch prevents the use of dangerous keys that can lead to prototype pollution. For those unable to upgrade, a manual workaround involves sanitizing the path argument to remove any instances of '__proto__', 'prototype', or 'constructor'.