Prototype Pollution

Vulnerability

Config-handler, a Node.js package for loading and deep-merging configuration files, is vulnerable to Prototype Pollution in all versions [1]. When loading config files (e.g., config/all.js, environment-specific files), the library performs a recursive merge of objects without proper sanitization. This allows an attacker to inject properties such as __proto__ into the merge process, polluting the global Object prototype [3].

Exploitation

An attacker can exploit this by providing a malicious configuration file (e.g., JSON or JavaScript file) that contains a __proto__ property. When config-handler loads and deeply merges this file with existing configuration, the malicious property is copied onto Object.prototype, affecting all objects in the application [3]. No authentication or special network position is required if the attacker can inject a config file (e.g., via uncontrolled file upload or dependency chain).

Impact

Successful exploitation leads to prototype pollution, which can result in denial of service (e.g., by overriding properties causing exceptions) or modification of application behavior. In some contexts, this can lead to remote code execution if the polluted properties affect critical code paths [3]. The impact depends on how the application uses the polluted objects.

Mitigation

As of the publication date, no fix has been released for config-handler. The GitHub issue [1] confirms the vulnerability. Users should avoid using config-handler with untrusted config files or consider replacing it with an alternative that does not perform unsafe recursive merges. The package is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Developers should sanitize config files to remove __proto__, constructor, and prototype keys if updating is not possible.