Prototype Pollution in min-document #54
Description
Summary
A prototype pollution vulnerability in the min-document package allows attackers to manipulate JavaScript object prototypes via improper handling of namespace operations in the removeAttributeNS method. This can lead to denial of service or arbitrary code execution in applications using affected versions.
Details
The vulnerability arises from insufficient validation of attribute namespace removal operations in the removeAttributeNS method. When processing input containing the __proto__ property, the method incorrectly modifies the prototype chain of critical JavaScript objects. This behavior stems from mishandling of namespace operations in the DOM implementation logic, as described in CWE-1321.
The issue affects versions prior to 2.19.0 of the package. While version 2.19.0 is marked as the latest available version, the vulnerability remains unaddressed in this release according to the package maintainer's analysis.
Impact
This is a prototype pollution vulnerability (CWE-1321) that affects any application using min-document versions <2.19.0. Attackers can exploit this to:
- Delete or overwrite critical object properties (e.g.,
toString) - Trigger denial of service conditions
- Potentially execute arbitrary code in the context of the application
Users are advised to audit their dependencies and avoid untrusted input processing with this package until a fix becomes available.#