Counterpart Prototype Pollution Vulnerability in Node.js and Browser Environments

A prototype pollution vulnerability has been identified in the 'counterpart' library, affecting versions prior to 0.18.6. This vulnerability arises from inadequate sanitization of user-controlled input in the 'translate' method, allowing attackers to inject maliciously crafted keys that manipulate the library's translation functionality. By exploiting this flaw, attackers can introduce arbitrary properties into the JavaScript Object prototype, potentially leading to denial-of-service conditions or remote code execution in applications that use the library.

Impact

Exploitation of this vulnerability allows for prototype pollution, where arbitrary properties can be added to the JavaScript Object prototype. This could disrupt the application's normal behavior, cause crashes, or enable remote code execution, depending on how the polluted prototype is used within the application.

Reproduction

To reproduce this vulnerability, use a version of the 'counterpart' library prior to 0.18.6. The vulnerability can be triggered by calling the 'translate' method with a key that includes prototype chain elements, such as '__proto__', combined with specific separator configurations. This will inject properties into the Object prototype, demonstrating the prototype pollution.

Remediation

Users are advised to update to 'counterpart' version 0.18.6 or later, where this vulnerability has been addressed.