Prototype Pollution

Vulnerability

The nedb npm package (all versions) is vulnerable to prototype pollution. The library does not sanitize keys like __proto__ or constructor.prototype when processing data, allowing an attacker to inject properties into the base Object prototype [1][2]. This affects all versions of nedb.

Exploitation

An attacker can craft a payload containing __proto__ or constructor.prototype properties. When the nedb library processes this payload (e.g., during document insertion or update), it recursively merges the payload into internal objects without proper validation, polluting the global Object prototype [2]. No authentication or special privileges are required; the attacker only needs to supply malicious input to the library.

Impact

Successful exploitation leads to prototype pollution, which can cause denial of service (via JavaScript exceptions) or, in some cases, remote code execution if the application's code path is altered by the injected properties [2]. The pollution affects all JavaScript objects in the runtime, potentially leading to unexpected behavior across the application.

Mitigation

As of the publication date (2021-06-15), no fix has been released for nedb. The package appears to be unmaintained; users should consider migrating to an alternative database library that is actively maintained and not vulnerable to prototype pollution [1]. No workaround is available within nedb itself.