js-toml Prototype Pollution Vulnerability Allowing Object.prototype Modification

A prototype pollution vulnerability has been identified in the js-toml library, which is a TOML parser for JavaScript. This vulnerability exists in versions prior to 1.0.2 and allows remote attackers to add or modify properties of the global Object.prototype by parsing maliciously crafted TOML input. The issue has been addressed in version 1.0.2.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify Object.prototype. This could lead to authentication bypasses, especially if the application uses property existence checks for authorization. Additionally, such vulnerabilities can sometimes be leveraged for Denial-of-Service attacks or remote code execution, depending on the application's logic and dependencies.

Reproduction

The vulnerability can be reproduced by parsing a TOML string that includes the '__proto__' key with a value that modifies the prototype, such as setting 'isAdmin' to true. After parsing, the modification can be verified by checking the corresponding property on the user object, which would indicate an authentication bypass.

Remediation

Users are advised to upgrade to js-toml version 1.0.2 or later. If an upgrade is not possible, ensure that TOML input is sourced from trusted origins and has been validated to exclude malicious keys.