Deno Standard Library @std/toml Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the Deno Standard Library package @std/toml, affecting versions through 1.0.8. The issue arises when the library parses untrusted TOML data, allowing an attacker to manipulate the prototype chain in Node.js and browser environments. This vulnerability occurs because the library merges an untrusted object with a default empty object, which carries a prototype chain. The flaw has been addressed in version 1.0.9.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify the prototype of an object, potentially leading to unauthorized access or manipulation of object properties. While no direct exploitation was found within the library itself, such vulnerabilities could be leveraged in applications using this library, especially if they contain exploitable 'gadgets' that could be triggered by the pollution.

Reproduction

To reproduce this vulnerability, parse a crafted TOML string that includes prototype keys, such as '__proto__.isAdmin' and '__proto__.debug', along with values that exploit the prototype pollution. This can be done in a Node.js environment by using the '@std/toml' package to parse the TOML data, which will then pollute the prototype chain and potentially trigger any corresponding 'gadgets' in the application.

Remediation

Users can update to @std/toml version 1.0.9 or later, where this vulnerability has been patched.