sveltekit-superforms Prototype Pollution Vulnerability in parseFormData Function

A prototype pollution vulnerability has been identified in sveltekit-superforms versions through 2.27.3. The issue arises in the parseFormData function within formData.js, where an attacker can inject properties into Object.prototype. This injection can lead to denial of service, type confusion, and potentially allow remote code execution in downstream applications that use the polluted objects. The vulnerability is exploited by manipulating form data, specifically targeting the __superform_json parameter, which is processed in a way that allows for prototype modification.

Impact

Exploitation of this vulnerability allows for the injection of properties into Object.prototype, which can cause type confusion and denial of service. In some cases, this can be escalated to remote code execution, particularly in applications that use vulnerable libraries or have certain functionalities exposed.

Reproduction

To reproduce this vulnerability, send a POST request to a SvelteKit application using sveltekit-superforms version 2.27.3 or prior. Include the __superform_json parameter with a value of '[{}]', and inject prototype properties through the __superform_file___proto__ or __superform_files___proto__ parameters. The injected properties can be crafted to overwrite critical prototype methods, such as toString, leading to application-wide denial of service. In environments with suitable JavaScript execution gadgets, such as the popular nodemailer library, this vulnerability can be escalated to remote code execution.

Remediation

Users can upgrade to sveltekit-superforms version 2.27.4 or later, where this vulnerability has been fixed.