node-cube Prototype Pollution Vulnerability Allowing Denial-of-Service and Arbitrary Code Execution
Vulnerability
A prototype pollution vulnerability exists in the node-cube package in versions prior to 5.0.0. The issue arises from improper validation of user input during resource initialization, allowing attackers to inject properties into the prototype of built-in JavaScript objects. This vulnerability, categorized under CWE-1321, could be exploited to cause a denial-of-service or execute arbitrary code in the affected environment.
Impact
Exploitation of this vulnerability allows for prototype pollution, which can disrupt application logic, corrupt data integrity, or enable arbitrary code execution within the Node.js runtime.
Reproduction
The vulnerability can be reproduced by using a version of the node-cube package prior to 5.0.0. During the package's resource initialization process, untrusted input can be supplied without proper validation. This input can manipulate the prototype chains of native objects, such as Object.prototype, injecting arbitrary properties. Once the prototype has been polluted, the injected properties can be exploited to disrupt application functionality or execute malicious code.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.