Prototype Pollution

Vulnerability

The package bodymen from version 0.0.0 is vulnerable to Prototype Pollution via the handler function. The vulnerability can be exploited by crafting a request with a __proto__ payload that modifies properties of Object.prototype. This vulnerability is an incomplete fix to CVE-2019-10792 [1][2]. All versions prior to the fix are affected [1].

Exploitation

An attacker can send a malicious JSON payload containing __proto__ keys to the bodymen middleware during request processing. The handler function does not properly sanitize or validate nested properties, allowing the attacker to add or alter properties on Object.prototype [2]. This can be done without authentication if the endpoint is publicly accessible [1].

Impact

Successful exploitation leads to Prototype Pollution, enabling the attacker to inject properties that are inherited by all JavaScript objects in the application. This can cause denial of service through JavaScript exceptions, or alter application logic leading to remote code execution in some contexts [2].

Mitigation

A fix was released in version 1.0.1 of bodymen. Users should upgrade to version 1.0.1 or later to mitigate this vulnerability [1]. The Snyk advisory notes that the fix addresses the incomplete patching of CVE-2019-10792 [1][2]. No workarounds are documented; upgrading is the recommended action.