Signal K Server Arbitrary Prototype Read Vulnerability in Application Data JSON-Patch Endpoint
Vulnerability
An arbitrary prototype read vulnerability has been identified in Signal K Server versions prior to 2.24.0. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering and extract internal functions and properties from the global prototype object. The issue arises in the application data JSON-patch endpoint, where the 'from' field is not properly validated, enabling unauthorized access to prototype data. The vulnerability has been patched in version 2.24.0.
Impact
Exploitation of this vulnerability allows for arbitrary reading of prototype properties, including internal Node functions, into the user's application data, violating data isolation.
Reproduction
To reproduce this vulnerability, send a JSON-patch request to the '/signalk/v1/applicationData/global/testapp/1.0' endpoint. Include a 'copy' operation in the payload that targets a property on the prototype, such as 'toString'. The request will bypass the prototype pollution guard and successfully read the targeted prototype property.
Remediation
Users can upgrade to Signal K Server version 2.24.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.