Prototype Pollution

Vulnerability

Overview

The json-pointer library (npm package) provides utilities for working with JSON pointers as defined in RFC 6901. Versions prior to 0.6.1 are vulnerable to Prototype Pollution due to insufficient validation of pointer paths. The library's set() and related functions accept pointer strings that can include multiple slashes, allowing an attacker to traverse beyond intended object properties and reach JavaScript's built-in prototypes such as __proto__, constructor, or prototype [1][4]. This flaw enables the injection of arbitrary properties into the base Object.prototype.

Exploitation

Prerequisites

Exploitation requires the attacker to control the pointer argument passed to functions like set(), get(), or remove(). No authentication or special network position is needed if the library processes user-supplied pointers. For example, a malicious pointer like /__proto__/polluted would set Object.prototype.polluted to a value chosen by the attacker [2][3]. The attack is straightforward and does not require complex chaining.

Impact

Successful prototype pollution can have severe consequences. By polluting Object.prototype, the attacker can alter the behavior of all objects in the application, leading to denial of service (e.g., causing exceptions), property injection that bypasses security checks, or in some contexts, remote code execution if the polluted property influences code paths [2][3]. The exact impact depends on how the application uses the polluted properties.

Mitigation

The vulnerability is fixed in json-pointer version 0.6.1. Users should update to this version or later. No workarounds are documented; the safest mitigation is to upgrade the package [1][4].