Prototype Pollution

Vulnerability

Overview CVE-2020-28462 affects all versions of the npm package ion-parser. The vulnerability is a prototype pollution issue that occurs when the parse function processes a maliciously crafted INI file. Prototype pollution allows an attacker to inject properties into the global Object.prototype, which can alter the behavior of the application or lead to more severe attacks [1].

Exploitation

Details An attacker can submit a specially crafted INI file to an application that uses ion-parser to parse it. The parser does not sanitize property keys like __proto__, constructor, or prototype. By including such keys in the INI file, the attacker can pollute the prototype of the base object, affecting all objects in the application [2]. No authentication or special privileges are required; the attacker only needs the ability to supply the malicious INI content.

Impact

Successful exploitation can lead to denial of service (DoS) by causing JavaScript exceptions, or it can tamper with application logic to force code paths chosen by the attacker, potentially resulting in remote code execution (RCE) depending on the application context [2]. The impact varies based on how the application uses the parsed data.

Mitigation

As of the publication date (2022-07-25), no patch has been released for ion-parser. Since the package is no longer maintained, users are advised to avoid using it or to migrate to a maintained alternative that sanitizes inputs properly [1].