Prototype Pollution

Vulnerability

The deepmerge() function in the Sey build tool (all versions) performs an unsafe recursive merge of objects without proper sanitization of prototype properties. This allows an attacker to inject properties into Object.prototype via the __proto__ key, leading to Prototype Pollution. [1][3]

Exploitation

An attacker can provide a crafted object containing a __proto__ property to the deepmerge() function. The recursive merge will traverse the __proto__ key and pollute the base object prototype. No authentication is required if the attacker can control the input to the merge function (e.g., via config file or user-supplied data). [3]

Impact

Successful exploitation results in Prototype Pollution, which can be leveraged to cause denial of service, property injection, or potentially remote code execution depending on how the application uses the polluted prototypes. [3]

Mitigation

The Sey package is deprecated and no fixed version has been released. The recommended mitigation is to stop using the deprecated package and migrate to its successor, Darty (https://github.com/eserozvataf/darty). There is no known patch. [1]