form-data-objectizer Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the form-data-objectizer library, specifically in versions through 1.0.0. The issue arises because the library processes bracket-notation form keys without properly sanitizing key segments that could lead to prototype pollution, such as __proto__, constructor, or prototype. This flaw allows an HTTP form field named __proto__[polluted] to modify Object.prototype, creating a pollution effect that persists across the entire Node.js process.

Impact

Exploitation of this vulnerability leads to uncontrolled prototype pollution, allowing an attacker to manipulate Object.prototype. This can disrupt the behavior of the application by, for example, injecting properties that bypass security checks or interfere with the application's logic. The pollution effect lasts for the duration of the Node.js worker process, affecting all subsequent requests handled by that process.

Reproduction

To reproduce this vulnerability, create a new Node.js project and install form-data-objectizer version 1.0.0. Then, use the library to convert form data that includes a key with the __proto__ bracket notation, such as __proto__[polluted]. After the form data is processed, the pollution can be observed by checking the Object.prototype for the injected property.

Remediation

Users can update to form-data-objectizer version 1.0.1, which addresses the vulnerability by rejecting form key segments that could lead to prototype pollution before processing the form data.