Prototype Pollution

All versions of the querymen npm package are vulnerable to prototype pollution [1]. The vulnerability exists in the exported function handler(type, name, fn) where the parameters can be controlled by users without sanitization, allowing manipulation of JavaScript object prototypes [2]. This is an incomplete fix of CVE-2020-7600 [1].

An attacker can exploit this by passing crafted input to the handler function, specifically controlling the 'name' or 'fn' parameters to inject properties like __proto__ or constructor [2]. No authentication is required if the function is exposed to user input. The attack surface depends on how the package is integrated—typical usage in web applications processing user queries could allow remote exploitation [2].

Successful prototype pollution can lead to denial of service via JavaScript exceptions, or more critically, tampering with application logic to force code paths that may result in remote code execution [2]. The impact is limited by the application's use of the polluted properties, but can be severe if the application relies on object properties for security decisions.

As of this writing, no patched version of querymen has been released, leaving all versions vulnerable [1]. Users should avoid passing unsanitized user input to the handler function or consider replacing the package if possible. The vulnerability is tracked in the Snyk database and NVD [1,2].