Prototype Pollution

pathval is a JavaScript library for retrieving or setting an object's property given a string path [4]. Versions before 1.1.1 are vulnerable to prototype pollution, a JavaScript flaw where an attacker can inject properties into existing object prototypes, such as Object.prototype [2]. This occurs because the library does not properly sanitize path inputs, allowing manipulation of built-in prototype attributes like __proto__ or constructor [1].

An attacker can exploit this by providing a malicious string path (e.g., containing __proto__) to the setPathValue function, which then pollutes the global object prototype [2][4]. The attack requires the application to parse user-controlled path strings, often through API endpoints or configuration inputs. No special privileges are needed beyond the ability to supply such paths.

Upon successful exploitation, the attacker can trigger denial of service by causing JavaScript exceptions or alter application logic to facilitate remote code execution [2]. Because all objects inherit from the polluted prototype, the impact can be widespread, affecting multiple application components.

The issue was addressed in version 1.1.1, released on October 25, 2020, by introducing proper sanitization of path strings [1][3]. Users should immediately update to this or a later version. Upstream dependencies that rely on pathval may also need updating.