Locutus Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the Locutus library, specifically in versions 2.0.12 prior to 2.0.39. The vulnerability allows for the pollution of Object.prototype through crafted input via String.prototype. Although a previous fix attempted to address this issue by checking for forbidden keys in user input, it was possible to bypass this guard. The vulnerability has been patched in version 2.0.39.

Impact

Exploitation of this vulnerability leads to prototype pollution, which can have serious security consequences depending on how the affected application uses the Locutus library. Potential impacts include authentication bypass, denial-of-service, and remote code execution if the polluted properties are passed to functions like eval or child_process.

Reproduction

To reproduce this vulnerability, first install Locutus version 2.0.12 or any version prior to 2.0.39. Then, override the String.prototype.includes method to return false. After this, the 'parse_str' function from the 'locutus.php.strings' module can be called with a payload designed to pollute the prototype, such as 'constructor[prototype][polluted]=yes'. Despite the input indicating pollution, the 'parse_str' function will not block the pollution due to the tampered includes method. After the function call, the polluted property can be checked on the Object prototype to confirm the exploitation.

Remediation

Users can upgrade to Locutus version 2.0.39 or later, where this vulnerability has been fixed.