Prototype Pollution

Vulnerability

The mootools package is vulnerable to prototype pollution in all versions [2]. The Object.merge() function performs an unsafe recursive merge, allowing an attacker to inject properties into the global Object.prototype by passing a crafted object with a __proto__ property [2]. This affects the mootools package available on npm [3].

Exploitation

An attacker can exploit this vulnerability by providing untrusted input to Object.merge() [2]. No authentication or special privileges are required; the attack can be performed remotely by supplying a maliciously crafted object [2]. The merge function recursively copies properties from the source to the target, and if the source contains __proto__, the pollution occurs during the recursive step [2].

Impact

Successful exploitation leads to prototype pollution, which can result in denial of service (via JavaScript exceptions), tampering with application logic, or remote code execution [2]. The pollution affects all objects inheriting from Object.prototype, potentially compromising the entire application [2].

Mitigation

No official fix has been released for mootools [3]. The library is considered outdated and users are advised to migrate to modern alternatives [3]. As of this writing, no workaround is available, and the vulnerability remains unpatched [2][3].