Flatted Prototype Pollution Vulnerability in parse() Function

A prototype pollution vulnerability has been identified in the Flatted package, specifically in versions through 3.4.1. The issue arises in the parse() function, where attacker-controlled string values from the parsed JSON can be used as array index keys without proper validation. This lack of validation allows non-numeric keys, such as '__proto__', to access the internal input buffer, which is a JavaScript Array. Accessing the array with '__proto__' returns a live reference to Array.prototype via the inherited getter. This reference is then treated as a valid parsed value and assigned to the output object, effectively leaking Array.prototype to the consumer. Any subsequent modifications to this property will alter the global prototype, potentially leading to a denial-of-service condition or arbitrary code execution.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can manipulate the global prototype chain. This could disrupt the application's functionality or, in certain contexts, be leveraged for code execution.

Reproduction

To reproduce this vulnerability, use a crafted Flatted string that includes a non-numeric key, such as '__proto__'. The parse() function will then create an object that references Array.prototype. Afterward, assign a value to a property of this object that corresponds to the polluted prototype reference. This action will modify the global Array prototype, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to Flatted version 3.4.2, where this vulnerability has been patched.