CVE-2019-10794

Vulnerability

Overview

The component-flatten package, used for flattening dependency trees in the component-resolver ecosystem, is vulnerable to Prototype Pollution across all versions. The flaw resides in a function that can be tricked into adding or modifying properties of Object.prototype by passing a __proto__ payload [1][2]. This type of vulnerability allows an attacker to pollute the base prototype of JavaScript objects.

Exploitation

To exploit this vulnerability, an attacker needs to supply a crafted object with a __proto__ property to the flatten function. No authentication or special privileges are required if untrusted input reaches the function. The attack surface is typical of Node.js applications that process user-controlled data through the affected library [1][2].

Impact

Successful prototype pollution can lead to severe consequences, including remote code execution, denial of service, or property injection, depending on the application's logic. In this case, the impact ranges from denial of service to potentially arbitrary code execution in the context of the application [1].

Mitigation

As of the publication date, no patch was available for this vulnerability. Users are advised to avoid using untrusted input with the component-flatten library or to migrate to alternative solutions that are not affected [1][2].