Parse JavaScript SDK Prototype Pollution Vulnerability Allowing Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the Parse JavaScript SDK, specifically in version 5.3.0 and prior. The issue resides in the SingleInstanceStateController component, where improper handling of user-supplied class names during state initialization allows attackers to inject properties into Object.prototype. This manipulation can lead to denial-of-service conditions as a minimum consequence.
Impact
Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the Object.prototype. This can disrupt the normal behavior of the application, cause denial-of-service conditions, or potentially bypass security mechanisms that rely on the integrity of the object prototype.
Reproduction
To reproduce this vulnerability, send a crafted payload that includes a className value of 'proto' to the SingleInstanceStateController.initializeState function. This will trigger the prototype pollution by injecting properties into Object.prototype.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.