CartoDB carto-api-client
- 0.5.29
A prototype pollution vulnerability has been identified in CartoDB's carto-api-client version 0.5.29. The issue arises in the addFilter function within src/filters.ts, where improper handling of the column argument allows for unauthorized modification of object prototype properties. This vulnerability can be exploited remotely.
Exploitation of this vulnerability leads to prototype pollution, where an attacker can manipulate the Object.prototype, causing all ordinary objects to inherit the polluted properties. This can disrupt application logic that depends on standard object behavior, potentially leading to logic bypasses, unexpected errors, or denial-of-service conditions.
The vulnerability can be reproduced by calling the addFilter function with a column value of '__proto__'. This action will result in the filter data being written to the Object.prototype, allowing for the creation of inherited properties on ordinary objects.
To address this vulnerability, it is recommended to validate and reject any column or type values that could lead to prototype pollution before they are used as dynamic keys on objects. Additionally, ensuring that filters are created as own properties and not inherited ones can help mitigate the risk.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.