Prototype Pollution

Vulnerability

Overview

CVE-2021-23328 is a prototype pollution vulnerability in the iniparserjs npm package, affecting all versions. The flaw resides in the ini_parser.js module when it processes arrays during INI file parsing. By providing specially crafted input, an attacker can inject properties into the global Object.prototype, a technique known as prototype pollution [1][2].

Attack

Vector and Exploitation

The vulnerability is triggered when the parser merges user-supplied INI data into internal objects without proper sanitization. If an attacker can control the INI file content (e.g., via file upload or configuration injection), they can set properties like __proto__ or constructor.prototype to pollute the base object. No authentication is required if the parser processes untrusted input; the attack surface is any application that uses iniparserjs to parse external INI files [2].

Impact

Successful exploitation allows an attacker to overwrite properties inherited by all JavaScript objects in the application. This can lead to denial of service (DoS) via unexpected exceptions, or more critically, remote code execution (RCE) by altering the application's control flow. The Snyk advisory notes that prototype pollution can tamper with application logic and force code paths chosen by the attacker [2].

Mitigation

The iniparserjs package has been deprecated and is no longer maintained [3]. Users should migrate to an alternative INI parser library that is actively supported and does not suffer from prototype pollution. No patch is available; the only remediation is to stop using the package.