PT-2020-16968 · Npm · Shvl
Published
2020-12-29
·
Updated
2022-05-24
·
CVE-2020-28278
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
shvl versions 1.0.0 through 2.0.1
Description
The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability. This vulnerability can be exploited because the
set() function in the 'shvl' NPM module does not check the type of object before assigning a value to a property. As a result, an attacker can create non-existent properties or manipulate existing ones, potentially leading to denial of service or remote code execution. The vulnerability can be triggered by supplying a malicious value to the path argument in the set() function, allowing an attacker to pollute the Object prototype. For example, by adjusting the path value to include the proto property, an attacker can assign a property directly to an empty object, effectively polluting the Object prototype.Recommendations
For shvl versions 1.0.0 through 2.0.1, to mitigate the prototype pollution vulnerability, consider the following:
- Freeze objects to prevent adding, removing, or changing their properties.
- Validate JSON input using schema validation to ensure it only contains predefined attributes.
- Use
Object.createto change objects so they do not have any prototype association, thereby preventing prototype pollution. As a temporary workaround, consider disabling theset()function until a patch is available. Restrict access to theshvlmodule to minimize the risk of exploitation. Avoid using thepathandvalarguments in theset()function until the issue is resolved.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shvl