fast-redact Prototype Pollution Vulnerability Allowing Denial-of-Service

A prototype pollution vulnerability has been identified in the fast-redact package, specifically in versions through 3.5.0. The issue arises in the nestedRestore function, where inadequate validation of user-supplied data allows attackers to inject properties into Object.prototype. This manipulation can disrupt the behavior of fundamental JavaScript objects, leading to potential denial-of-service conditions, data integrity issues, or cross-site scripting vulnerabilities in applications that use fast-redact for redacting sensitive information.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the Object.prototype. This could disrupt the behavior of JavaScript objects, potentially causing denial-of-service conditions, compromising data integrity, or introducing cross-site scripting vulnerabilities in applications that rely on fast-redact for data redaction.

Reproduction

To reproduce this vulnerability, use fast-redact version 3.5.0 or earlier. The vulnerability can be triggered by calling the nestedRestore function with a payload that includes deeply nested paths targeting Object.prototype. This will inject properties into the prototype, allowing for unauthorized modifications that can disrupt object behaviors and lead to denial-of-service conditions or other vulnerabilities in the application.