Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in think-helper

Vulnerability

The think-helper library (versions prior to 1.1.3) is susceptible to a Prototype Pollution vulnerability. The software receives input from an upstream component that specifies attributes to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype [1][3]. This allows an attacker to pollute the global Object.prototype with arbitrary properties, potentially affecting all objects in the runtime. The affected versions are all releases before 1.1.3.

Exploitation

An attacker can exploit this flaw by providing specially crafted input (e.g., JSON payloads with keys like __proto__ or constructor.prototype) to functions that use the affected extend or similar object-manipulation routines in the think-helper library. No special privileges are required beyond the ability to supply input to the application that processes untrusted data using the vulnerable library [1][3].

Impact

Successful exploitation leads to Prototype Pollution, which can allow the attacker to inject arbitrary properties into the global Object prototype. This may result in unexpected behavior, denial of service (DoS), or—depending on the application logic—potential escalation to arbitrary code execution or other severe security consequences [1][3]. The exact impact depends on how the polluted properties are used by the consuming application.

Mitigation

The vulnerability is patched in version 1.1.3 of think-helper [1][3]. All users should upgrade to version 1.1.3 or later. As of the advisory, the repository has been archived and migrated to a new location; for ongoing updates, see https://github.com/thinkjs/thinkjs/tree/master/packages/think-helper [2]. No workarounds are documented for versions prior to the fix.