query-string-parser Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the npm package query-string-parser, specifically in version 1.0.0. The vulnerability arises because the package fails to properly sanitize user-supplied query parameters, allowing them to be merged into newly created objects. This issue is located in the '_fillValue' function within 'index.js', where the 'fromQuery' method parses query parameters. Exploitation of this vulnerability can lead to the pollution of the object's prototype, potentially allowing an attacker to manipulate object properties in a harmful way.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can modify the prototype of base objects, leading to the potential manipulation of object properties and methods. This could be exploited to bypass certain security measures or introduce malicious behavior into the application.

Reproduction

To reproduce this vulnerability, first install the 'query-string-parser' package version 1.0.0. Then, use the 'fromQuery' function to parse a query string that includes a '__proto__' property with a custom value, such as 'polluted'. After parsing, the polluted prototype can be verified by checking the '__proto__' property of a newly created object, which will reflect the injected value. This demonstrates how the vulnerability allows for prototype pollution by manipulating the object's prototype chain.