dagre-d3-es Prototype Pollution Vulnerability in Node.js Package

A prototype pollution vulnerability has been identified in the 'dagre-d3-es' Node.js package, specifically in version 7.0.9. The issue arises in the 'bk' module's 'addConflict' function, which inadequately sanitizes user-supplied input during property assignment. This vulnerability allows attackers to inject malicious values, such as '__proto__', to manipulate the JavaScript Object prototype chain. Exploitation of this flaw could result in denial-of-service conditions, unpredictable application behavior, or the execution of arbitrary code in situations where the polluted properties are accessed or executed.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the JavaScript Object prototype, leading to potential denial-of-service conditions, application crashes, or arbitrary code execution in contexts where the polluted properties are accessed.

Reproduction

To reproduce this vulnerability, use 'dagre-d3-es' version 7.0.9 and call the 'addConflict' function in the 'bk' module' with a key that includes malicious input, such as '__proto__'. This will inject the key into the Object prototype, allowing for prototype pollution.

Remediation

Users are advised to upgrade to 'dagre-d3-es' version 7.0.11 or later, where this vulnerability has been addressed.