Vuetify Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in Vuetify versions 2.2.0-beta.2 through 3.0.0-alpha.10. This issue arises from the 'mergeDeep' utility function, which merges user-defined options with default settings. By crafting a malicious preset, it is possible to inject arbitrary properties into all JavaScript objects, disrupting the application's functionality and potentially leading to various security issues, such as unauthorized data access or resource exhaustion. In applications using Server-Side Rendering (SSR), this vulnerability could impact the entire server process.

Impact

Exploitation of this vulnerability allows for prototype pollution, where all JavaScript objects are injected with arbitrary properties. This can disrupt the application's behavior and, in SSR environments, affect the entire server process. Additionally, such pollution can lead to resource exhaustion, causing a denial-of-service condition, or facilitate unauthorized access to sensitive data.

Reproduction

To reproduce this vulnerability, initialize a Vue application with Vuetify using a malicious preset that adds a 'polluted' property to the prototype. Afterward, check for the existence of this property on a clean object, which should now reflect the pollution.

Remediation

Vuetify v2 is End-of-Life and will not receive updates. Users should migrate to Vuetify v3 or consult HeroDevs for support.