Prototype Pollution

Vulnerability

The jsgui-lang-essentials npm package (all versions) is vulnerable to Prototype Pollution. The library allows all Object attributes to be altered, including magical attributes such as __proto__, constructor, and prototype. This occurs in functions like ll_set() and potentially in unsafe recursive merge or property-by-path operations [1][2]. The issue is present in every release of the package up to the latest published version [1].

Exploitation

An attacker can trigger Prototype Pollution by supplying a crafted object with a __proto__ property to one of the vulnerable API functions, such as ll_set(). The attacker does not need authentication; the vulnerability is exploitable if the application processes attacker-controlled input (e.g., JSON payloads) through the unsanitized object operations provided by the library [2][4]. The exploit does not require user interaction beyond the application accepting the malicious input.

Impact

Successful exploitation allows an attacker to inject properties into the global Object.prototype. This can lead to denial of service (DoS) via JavaScript exceptions, or tampering with application logic to force code execution paths, potentially leading to remote code execution (RCE) in the context of the application [2]. The scope of compromise is dependent on how the polluted properties are used by the application.

Mitigation

No official fix has been released for this package as of the publication date. The maintainer has been notified via the GitHub issue tracker [4]. There is no known workaround; users should avoid passing untrusted input to functions like ll_set() or consider discontinuing use of jsgui-lang-essentials until a patched version is available [1][2].