Prototype Pollution

Vulnerability

Details

The safetydance npm package, designed to provide exception safety for Node.js functions, is vulnerable to Prototype Pollution through its set function [1]. The set function does not sanitize property keys such as __proto__, constructor, or prototype, allowing an attacker to inject properties into the global Object.prototype [3]. This is a classic Prototype Pollution vulnerability that affects all versions of the package [2].

Exploitation

An attacker can exploit this by passing a crafted object with a __proto__ property to the set function. If the application uses user-controlled input to set nested properties via safetydance, the attacker can pollute the prototype chain. No authentication is required if the vulnerable function is exposed to untrusted data [3]. The attack surface depends on how the application uses the library, but any code path that calls set with attacker-controlled keys is susceptible.

Impact

Successful exploitation can lead to denial of service (DoS) by triggering JavaScript exceptions or, more critically, remote code execution (RCE) by altering the behavior of the application's objects [3]. Because properties on Object.prototype are inherited by all objects, a single pollution can affect the entire application, potentially allowing the attacker to bypass security checks or execute arbitrary code.

Mitigation

As of the publication date, no patch is available for this vulnerability [1][2]. The package appears to be unmaintained (the repository has moved to a new location). Users are advised to avoid using the set function with untrusted input or to replace safetydance with an alternative library that properly sanitizes property keys [3].