Tarkov Data Manager Authentication Bypass Vulnerability Granting Admin Access

An authentication bypass vulnerability has been identified in the Tarkov Data Manager login endpoint, allowing any unauthenticated user to gain full admin access to the admin panel. This vulnerability, present in versions through 2.0.0, arises from a combination of JavaScript prototype property access exploitation and loose equality type coercion. The issue has been acknowledged and fixed in a series of commits on January 2, 2025.

Impact

Exploitation of this vulnerability allows for unauthorized admin access, potentially leading to full control over the application and its data.

Reproduction

To reproduce this vulnerability, send a POST request to the '/auth' endpoint with 'username' set to '__proto__' and 'password' set to '[object Object]'. The request will be accepted, and a session will be created that includes admin privileges.

Remediation

The vulnerability can be remediated by using 'Object.hasOwn()' to check for own properties only, excluding inherited prototype properties, and by applying strict equality checks. After updating the code, it is advisable to audit application log files for any signs of prior exploitation.