mpregular Prototype Pollution Vulnerability Allowing Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the mpregular package, specifically in versions through 0.2.0. The issue arises in the mp.addEventHandler function, where user-supplied event identifiers can be crafted to inject properties into Object.prototype. This manipulation can lead to denial-of-service conditions, as the introduced properties may disrupt normal application behavior when accessed during runtime.
Impact
Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the Object prototype. This can cause denial-of-service conditions or lead to unexpected behavior in the application when the polluted properties are accessed.
Reproduction
To reproduce this vulnerability, use the mpregular package in a version prior to 0.2.0. The vulnerability can be triggered by calling the addEventHandler method and supplying an event identifier that includes modifications to the prototype chain, such as injecting a property into Object.prototype. This crafted payload will be processed without proper sanitization, allowing the injection of arbitrary properties into the Object prototype.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.