min-document Prototype Pollution Vulnerability Allowing Denial-of-Service or Arbitrary Code Execution

A prototype pollution vulnerability has been identified in the 'min-document' package, affecting versions prior to 2.19.0. The issue arises from improper handling of namespace operations in the 'removeAttributeNS' method, which allows attackers to manipulate the prototype chain of JavaScript objects by processing malicious input that includes the '__proto__' property. This manipulation can lead to denial-of-service conditions or arbitrary code execution within applications using the affected package. The vulnerability is rooted in insufficient validation of attribute namespace removal operations, enabling unintended modifications of critical object prototypes. Notably, while version 2.19.0 is the latest available release, the vulnerability remains unaddressed in this version.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can manipulate JavaScript object prototypes. This could lead to overwriting or deleting essential object properties, causing denial-of-service conditions, or potentially executing arbitrary code in the application's context.

Reproduction

To reproduce this vulnerability, use a version of the 'min-document' package prior to 2.19.0. Input a namespace removal operation in the 'removeAttributeNS' method that includes the '__proto__' property. This will trigger the improper handling of the input, allowing manipulation of the prototype chain of JavaScript objects.