deepHas Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the deepHas npm package, specifically in version 1.0.7. This vulnerability allows attackers to modify the behavior of global objects. The issue arises in the 'add()' and 'indexer()' functions within 'deepHas.js'. Although version 1.0.7 includes measures to prevent prototype pollution by checking property ownership and forbidden string usage, these checks can be bypassed. As a result, attackers can inject properties into Object.prototype, leading to potential security risks.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can have serious security consequences depending on how the deepHas package is used in applications. It could lead to authentication bypass, denial of service, or remote code execution if the polluted property is used in a context like eval or child_process.

Reproduction

To reproduce this vulnerability, install version 1.0.7 of the deepHas package. Then, use one of the provided proof-of-concept code snippets. Both snippets demonstrate how to bypass the package's prototype pollution protections and inject a 'polluted' property into the Object.prototype.

Remediation

Users can upgrade to deepHas version 1.0.8, which addresses the prototype pollution vulnerability.