Prototype Pollution

Vulnerability

Overview

The multi-ini npm package before version 2.1.1 is vulnerable to prototype pollution [1]. The flaw occurs when parsing INI files that contain an array with a __proto__ key. The parser does not sanitize the __proto__ property, allowing an attacker to inject arbitrary properties into the global Object.prototype [2]. This is a classic prototype pollution bug where the merge logic recursively copies properties without checking for dangerous keys like __proto__ [3].

Exploitation

An attacker can exploit this by crafting a malicious INI file (e.g., payload.ini) with a section named [__proto__] containing a key-value pair such as polluted = "polluted". When the application parses this file using multi-ini.read(), the __proto__ property is treated as a regular section, and its contents are merged into the object's prototype [3]. No authentication or special network position is required if the attacker can supply the INI file to the parser (e.g., via file upload or configuration injection).

Impact

Successful prototype pollution can lead to denial of service (by triggering JavaScript exceptions) or, in more severe cases, remote code execution if the polluted property influences application logic [2]. The injected properties are inherited by all JavaScript objects, potentially altering the behavior of the entire application.

Mitigation

The vulnerability is fixed in multi-ini version 2.1.1 by explicitly ignoring __proto__ in sections and keys [3]. Users should update to the latest version. No workarounds are documented; upgrading is the recommended action.