Prototype Pollution

Vulnerability

The json-ptr package versions before 3.0.0 are vulnerable to a type confusion issue when user-provided keys in the pointer parameter are arrays. This allows an attacker to bypass the fix for CVE-2020-7766, which addressed prototype pollution via string-based pointers. The vulnerability occurs because the library does not properly handle array-type keys, enabling pollution of Object.prototype. [1][2]

Exploitation

An attacker can supply a crafted pointer containing array keys to the json-ptr API. No authentication or special network position is required if the application processes user-controlled pointer values. The attacker provides a pointer such as ['__proto__', 'polluted'] to set a property on the prototype. [2]

Impact

Successful exploitation leads to prototype pollution, which can result in denial of service, property injection, or potentially remote code execution depending on the application's use of the polluted properties. The attacker can inject arbitrary properties into the global object prototype, affecting all objects. [2]

Mitigation

Upgrade to json-ptr version 3.0.0 or later, which fixes the type confusion and properly validates pointer keys. No workaround is available for earlier versions. [1][2]