Prototype Pollution

Vulnerability

The js-data package (all versions) is vulnerable to Prototype Pollution through the deepFillIn and set functions [1]. This is an incomplete fix of CVE-2020-28442 [3]. The vulnerability occurs because these functions do not properly sanitize user-controlled object keys, allowing an attacker to set properties on Object.prototype via __proto__, constructor, or prototype paths. The affected code path is reachable whenever an application passes untrusted data to deepFillIn or set without prior validation.

Exploitation

An attacker needs to supply a crafted object to either deepFillIn or set with a property like __proto__ or constructor.prototype containing malicious payloads [3]. For example, calling deepFillIn(target, { '__proto__': { 'polluted': true } }) will pollute the global Object.prototype. No authentication or special network position is required if the application exposes these functions to user input (e.g., via JSON parsing or API parameters).

Impact

Successful exploitation results in Prototype Pollution, which can lead to denial of service (e.g., unexpected exceptions), property injection that alters application behavior, and in some contexts remote code execution if the polluted properties are used in security-sensitive operations [3]. The attacker can affect all objects in the runtime, potentially bypassing security checks or modifying default configurations.

Mitigation

As of the publication date (2021-12-24), no patched version of js-data has been released [1]. The vulnerability is a known incomplete fix of an earlier issue. Users should avoid passing untrusted data to deepFillIn and set, or consider migrating to an alternative library that is not susceptible to Prototype Pollution. The vulnerability is tracked in Snyk databases [3].