CodeGenieApp serverless-express Property Injection Vulnerability in Users Endpoint

A property injection vulnerability has been identified in CodeGenieApp's serverless-express framework, affecting versions through 4.17.1. The issue arises in the Users Endpoint, specifically within the utils/dynamodb.ts file. The vulnerability allows authenticated attackers to manipulate the filter query parameter, leading to unauthorized access to object properties and database schema enumeration. This injection could be exploited remotely, with a public exploit available.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of database schema and inspection of prototype chain properties, potentially revealing sensitive framework information and internal application logic.

Reproduction

To reproduce this vulnerability, authenticate a user to obtain a valid JWT token. Then, send a GET request to the /users endpoint with a filter query parameter that includes arbitrary property names. The response will reveal whether the specified properties exist, allowing for systematic schema discovery.

Remediation

It is recommended to implement property validation on the filter parameter, restricting access to an allowlist of safe fields. Additionally, logging, rate limiting, and unit tests for property validation can help detect and mitigate potential exploitation.