magix-combine-ex Prototype Pollution Vulnerability Allowing Denial-of-Service

A prototype pollution vulnerability has been identified in the Node.js package 'magix-combine-ex' versions prior to and including 1.2.10. The issue arises in the 'util-deps' module, specifically within the 'addFileDepend' function, where user input is not properly sanitized. This vulnerability allows attackers to manipulate the 'riskyName' parameter to inject properties into the Object.prototype, affecting the prototype chain of objects handled by the module. The exploitation of this vulnerability can disrupt the application's normal functioning, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to prototype pollution, allowing attackers to inject properties into the Object.prototype. This can disrupt the normal behavior of the application or its dependencies, potentially causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, use 'magix-combine-ex' version 1.2.10 or earlier. In the 'util-deps' module, call the 'addFileDepend' function with a crafted payload that includes a malicious key, such as '__proto__', in the 'riskyName' parameter. This will inject properties into the Object.prototype, demonstrating the prototype pollution vulnerability.