Prototype Pollution in object-dot #4
Description
Prototype Pollution in object-dot
Summary
object-dot (<= 1.7.0) is vulnerable to Prototype Pollution via object-dot.set.
- CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
- Severity: Critical (CVSS 9.8)
- Weekly Downloads: 8,518
- npm: https://www.npmjs.com/package/object-dot
Description
The function(s) object-dot.set in object-dot do not properly restrict modifications to Object.prototype. When processing user-controlled input, an attacker can inject properties via __proto__ or constructor.prototype keys, polluting the prototype of all JavaScript objects in the application.
Attack vectors: array-path __proto__, dot-path __proto__
Proof of Concept
const target = require('object-dot');
// 1. Pollute Object.prototype
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
object-dot.set({}, "__proto__.key", "value");
// 2. Verify pollution
const obj = {};
console.log(obj.polluted); // "yes" - prototype is polluted
console.log('Vulnerable:', obj.polluted === 'yes');Impact
Successful exploitation allows an attacker to:
- Remote Code Execution (RCE) via
child_processspawn injection orvmsandbox escape - Authentication Bypass via polluted authorization checks
- SQL Injection through polluted query parameters
- Denial of Service (DoS) by overriding critical object methods
- SSRF through polluted URL/host configurations
- Cross-Site Scripting (XSS) via polluted template variables
- Path Traversal through polluted file path configurations
- CORS Bypass via polluted origin/header settings
Remediation
Add key filtering to prevent prototype pollution:
function isSafe(key) {
return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}Or use Object.create(null) for target objects to prevent prototype chain access.