parse-ini Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the npm package parse-ini, specifically in version 1.0.6. The issue arises in the index.js file, where the code fails to validate the presence of attacker-controlled prototypes that can be introduced through .ini files. This vulnerability allows attackers to add arbitrary properties to the prototypes of global objects, which may be inherited by user-defined objects, potentially leading to code execution or a denial-of-service condition in certain scenarios.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can manipulate the prototype of an object, potentially leading to code execution or causing a denial-of-service condition in specific situations.

Reproduction

To reproduce this vulnerability, use the parse-ini package to parse an .ini file that includes a prototype pollution payload. The payload should be crafted to include a section that targets the prototype, such as adding a 'polluted' property. After parsing the file, the pollution can be verified by checking the prototype of the resulting object or the global object.