CVE-2021-25927

Overview

Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module `safe-flat` can be abused by Prototype Pollution vulnerability since the function `unflatten()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property, or be able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The function ` unflatten ()` accepts `obj` and `delimiter` as arguments. Due to the absence of validation on the values passed into the argument of `obj`, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly assigned to the new object, thereby polluting the base Object prototype. Later in the code, there is a check to validate `polluted`, and the value would be substituted as "Yes! It’s Polluted" as it had been polluted.

PoC Code

var safeFlat = require("safe-flat");
console.log("Before : " + {}.polluted);
safeFlat.unflatten({"__proto__.polluted": "Yes! Its Polluted"}, '.');
console.log("After : " + {}.polluted);

Affected Environments

2.0.0-2.0.1

Prevention

Upgrade to version 2.0.2