Prototype Pollution

Vulnerability

Overview

The safe-object2 package, in all versions, is vulnerable to Prototype Pollution through its setter function. Prototype Pollution is a JavaScript vulnerability that allows an attacker to inject properties into existing JavaScript language construct prototypes, such as __proto__, constructor, and prototype. By manipulating these magical attributes, the attacker can overwrite or pollute the Object prototype [1][2].

Exploitation

Details

This vulnerability can be triggered when the package's setter function processes user-controlled input without proper sanitization. An attacker can craft a malicious object that contains a property like __proto__ or constructor.prototype. For instance, by defining a property path that includes __proto__.polluted, the setter will write a value directly to the Object prototype, affecting all subsequently created objects in the application [2].

Impact

Successful exploitation leads to Prototype Pollution. The consequences can include denial of service (by causing JavaScript exceptions), or more severe impacts such as remote code execution if the polluting property alters application logic to force a specific code path [2]. Since the property is inherited by all JavaScript objects, the entire application environment can be compromised.

Mitigation

As of the publication date, the vulnerability is unpatched. The package has been marked as vulnerable by security advisories. Users should avoid using the safe-object2 setter function with untrusted input, or migrate to a different package that does not have this flaw [1][2].