Prototype Pollution

The nis-utils npm package (all versions) contains a Prototype Pollution vulnerability in its setValue function. The function sets a property value on an object using a path string, and fails to properly sanitize the path against keys such as __proto__, constructor, or prototype. This allows an attacker to inject arbitrary properties into the base Object.prototype [1] [2].

Exploitation

Prototype Pollution is a common JavaScript vulnerability that leverages the language's prototypal inheritance mechanism. By passing a crafted object or path parameter to setValue, an attacker can pollute the global Object.prototype. Once polluted, all JavaScript objects in the application inherit the injected properties, which can alter application behavior without direct code modification [2].

Impact

Successful exploitation can lead to a range of outcomes, including denial of service (by causing JavaScript exceptions) or remote code execution (by forcing the application to follow unintended code paths). The specific impact depends on how the polluted properties are used by the application consuming nis-utils [1] [2].

Mitigation

As of the publication date (August 2020), no patched version of nis-utils was available. Developers are advised to avoid using the package or to implement input validation that blocks dangerous property keys (e.g., __proto__). The vulnerability was reported and tracked via Snyk (SNYK-JS-NISUTILS-598799) [1] [2].