Content-Security-Policy-Parser Prototype Pollution Vulnerability Allowing Object Prototype Overwrite

A prototype pollution vulnerability has been identified in the 'content-security-policy-parser' package, specifically in versions prior to 0.5.0. This vulnerability allows an attacker to override the Object prototype by supplying a policy name of '__proto__'. The issue arises because the parser does not properly validate or sanitize the directive names, leading to unintended modifications of the prototype chain. Exploitation is possible through network requests that include crafted Content Security Policy directives.

Impact

Exploitation of this vulnerability allows for prototype pollution, where the Object prototype can be modified. This could lead to various consequences, depending on how the polluted prototype is subsequently used within the application. While the vulnerability itself does not directly cause remote code execution, such an impact could be achieved by leveraging the prototype pollution in conjunction with other libraries that allow for code execution.

Reproduction

To reproduce this vulnerability, parse a Content Security Policy string that includes '__proto__' as a directive name. The parser will accept this and treat it as a valid directive, allowing the Object prototype to be overwritten. This can be verified by checking the 'toString' method of the parsed result, which will reflect the changes made to the prototype.

Remediation

Users can upgrade to version 0.6.0 or later, where this vulnerability has been patched. Alternatively, as a temporary workaround, the prototype method can be disabled in Node.js by using the '--disable-proto=delete' or '--disable-proto=throw' options.