jsondiffpatch Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the jsondiffpatch package, affecting versions prior to 0.7.6. The issue arises in the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs, where attacker-controlled property names and path segments can be used to traverse and modify objects. This manipulation occurs without proper restrictions on access to special properties like __proto__ or constructor.prototype, allowing attackers to alter Object.prototype. The vulnerability can be exploited by supplying crafted delta or JSON Patch documents that take advantage of these unguarded property accesses.

Impact

Exploitation of this vulnerability allows for the injection of properties into Object.prototype, which are then inherited by all objects in the JavaScript environment. This can lead to various adverse effects, including logic corruption, denial-of-service conditions through unexpected values or exceptions, and security-relevant changes in applications that do not consistently check for own-properties.

Reproduction

The vulnerability can be reproduced by applying a crafted delta that includes keys targeting the constructor.prototype, or by using the JSON Patch format to add properties directly to the __proto__ key of an object. This can be done using the jsondiffpatch.patch() method or the jsondiffpatch/formatters/jsonpatch.patch() helper, both of which are vulnerable to this type of prototype pollution.

Remediation

Users are advised to upgrade jsondiffpatch to version 0.7.6 or later.