Prototype Pollution

Vulnerability

Overview

The gedi npm package is vulnerable to Prototype Pollution through its set function [1][2]. Prototype Pollution occurs when an attacker manipulates the __proto__ property of a JavaScript object to inject arbitrary properties into the Object prototype, which can then be inherited by all objects in the application [2].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted input to the set function that includes a __proto__ property [2]. This can be achieved via unsafe recursive merge operations or property definition by path, common patterns in JavaScript libraries [2]. No authentication or special network position is required; the attack can be carried out by any user who can control input to the set function.

Impact

Successful exploitation allows an attacker to pollute the Object prototype, potentially leading to denial of service (e.g., triggering JavaScript exceptions) or remote code execution by forcing the application to follow an unintended code path [2]. The impact depends on how the application uses the polluted properties.

Mitigation

As of the publication date, no patch has been released for gedi. Users should avoid passing untrusted input to the set function and consider using object freezing or input validation to mitigate the risk [1][2].