CVE-2020-7616

Vulnerability

Overview

The express-mock-middleware package through version 0.0.6 is vulnerable to a prototype pollution attack. The exported functions of the package can be tricked into adding or modifying properties on Object.prototype. This occurs because the package's lib/index.js merges user-controlled object properties without proper filtering, as seen in the source code handling [3].

Exploitation

Scenario

Exploitation of this vulnerability requires the attacker to create a new directory containing malicious code, which will then be exported by express-mock-middleware. The attacker must have the ability to place files in a location that the package processes (e.g., by controlling a mock data directory). No authentication is required beyond the ability to create files on the server where the package is used. The attack vector is considered low risk due to the prerequisite of directory creation [1][2].

Impact

A successful exploit allows an attacker to inject properties into Object.prototype, which can affect all objects in the Node.js application. This can lead to unexpected application behavior, property injection, and in some cases, denial of service if critical properties are overwritten. The default configuration of the package does not protect against this type of pollution [1].

Mitigation

As of the advisory date, no patch was available. Users should upgrade to version 0.0.7 or later if a fix has been released. Workarounds include avoiding the use of dynamic imports from untrusted directories or applying input validation on the mock data paths. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication [1][2].