Prototype Pollution

Vulnerability

Overview

The vulnerability affects all versions of the decal JavaScript package, specifically within its set function [1]. The flaw is a Prototype Pollution issue [2]. Prototype Pollution occurs when an attacker can inject properties into existing JavaScript object prototypes, such as Object.prototype, by manipulating special attributes like __proto__, constructor, or prototype [2]. In this case, the set function does not properly sanitize or validate user-supplied property paths, allowing an attacker to pollute the base object prototype [1].

Exploitation

Method

An attacker can exploit this vulnerability by providing a crafted property path (e.g., including __proto__ or constructor.prototype) as input to the set function. When the function processes this input, it recursively sets the property on the target object without blocking dangerous keys. This results in the attacker's injected properties being added to Object.prototype, thereby affecting all JavaScript objects inheriting from that prototype [2]. The attack does not require authentication beyond the ability to pass controlled data to the vulnerable function.

Impact

Successful exploitation can lead to severe consequences, including the ability to tamper with application logic, bypass security checks, or cause denial of service by triggering unexpected JavaScript exceptions [2]. More critically, if the polluted prototype influences property resolution in a way that alters the application's code path, an attacker may achieve remote code execution (RCE) [2]. The full impact depends on how the application uses the polluted properties and the overall JavaScript runtime environment.

Mitigation

As of the publication date (2021-02-04), no patch was available for the decal package [1]. Users are advised to update to a patched version if and when it becomes available. In the absence of a fix, developers should consider replacing the decal library with an alternative that provides safe object manipulation functions or implement additional input validation and sanitization to block prototype pollution vectors [2].