Prototype Pollution

Vulnerability

Overview

The set-deep-prop npm package is vulnerable to Prototype Pollution in all versions prior to 1.1.0. Prototype Pollution is a JavaScript vulnerability that allows an attacker to inject arbitrary properties into an object's prototype, typically by manipulating special attributes like __proto__, constructor, or prototype [1][2]. The set-deep-prop library's core functionality, which sets deep property paths on objects, does not sanitize input paths or prevent access to the prototype chain, enabling this attack [1][2].

Attack

Vector & Exploitation

An attacker can exploit this flaw by crafting a malicious object or path argument that includes prototype-polluting keys. When the library processes such input without validation, it recursively assigns values to properties like __proto__ or constructor.prototype [2]. This pattern is similar to other vulnerable deep-merge or property-definition-by-path libraries described in security advisories [2]. The attack does not require authentication if the application accepts user-controlled objects or paths that are passed to set-deep-prop.

Impact

Successful prototype pollution can lead to severe consequences. By polluting Object.prototype, all JavaScript objects in the application inherit the injected properties, which can alter normal behavior. This can trigger denial of service (e.g., crashes from unexpected prototype modifications) or, more critically, tamper with application logic to force code paths leading to remote code execution [2]. The impact depends on how the polluted prototype interacts with other parts of the application.

Mitigation

The vulnerability has been patched in version 1.1.0 of set-deep-prop. Users should upgrade to at least version 1.1.0 to remediate the issue. There is no evidence this CVE is on the CISA Known Exploited Vulnerabilities (KEV) list. Affected applications should also review their input validation for any deep-property setting operations to prevent similar attacks.