Evolver Prototype Pollution Vulnerability in Mailbox Store Module

A prototype pollution vulnerability has been identified in Evolver versions prior to 1.69.3. This vulnerability allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The issue arises in the mailbox store module's _applyUpdate() and _updateRecord() functions, which use Object.assign() to merge user-controlled data without properly filtering out dangerous keys such as __proto__, constructor, or prototype. Exploitation of this vulnerability requires write access to the messages.jsonl file, which is used for mailbox persistence.

Impact

Exploitation of this vulnerability leads to prototype pollution, allowing for property injection that affects all JavaScript objects. This can result in an authentication or authorization bypass, manipulation of application logic, a denial of service through prototype corruption, and potentially remote code execution if the polluted properties interact with security-sensitive code paths.

Reproduction

To reproduce this vulnerability, write a JSONL entry into the messages.jsonl file with the __proto__ key included in the fields. When the mailbox store module processes this entry, the prototype pollution will occur, injecting the specified properties into Object.prototype. After loading the malicious entry, check a regular object for the injected properties to confirm the pollution. Additionally, demonstrate the impact by bypassing an authentication check using the polluted prototype property.

Remediation

Users should update to Evolver version 1.69.3 or later, where this vulnerability has been patched.