Prototype Pollution

Vulnerability

The keyget npm package (all versions from 0.0.0) is vulnerable to Prototype Pollution through the set, push, and at methods [1][2]. These methods accept a path argument that can include __proto__, constructor, or prototype properties, allowing an attacker to pollute the base Object.prototype [3]. This vulnerability is an incomplete fix to CVE-2020-28272 [1][4].

Exploitation

An attacker can craft a malicious path string or array containing __proto__ or constructor.prototype and pass it to the vulnerable methods. For example, calling set(target, ['__proto__', 'polluted'], 'value') will pollute Object.prototype [2][3]. No authentication or special privileges are required; the attacker only needs to control the path argument supplied to these methods.

Impact

Successful exploitation allows an attacker to inject arbitrary properties into the global Object.prototype. This can lead to denial of service by causing unexpected behavior or exceptions, and may enable remote code execution if the polluted properties affect the application's logic [1][3]. The impact depends on how the application uses the polluted objects.

Mitigation

As of the publication date (2022-01-28), no fixed version of keyget has been released [1]. Users should avoid using the set, push, and at methods with untrusted path inputs, or consider replacing the library with an alternative that properly sanitizes paths. The vulnerability is listed in the Snyk database [3].