CVE-2022-37257

Vulnerability

Description

CVE-2022-37257 is a prototype pollution vulnerability found in the convertLater function within npm-convert.js of stealjs steal version 2.2.4. The issue arises because the requestedVersion variable is not properly sanitized, allowing an attacker to inject properties into the global Object.prototype [1][2]. This type of vulnerability can lead to unexpected behavior across the application, as all objects inherit the polluted properties.

Exploitation

To exploit this vulnerability, an attacker must be able to control the requestedVersion input passed to the convertLater function. This could occur through user-supplied data in a module request or via a crafted npm package name. No authentication is required if the attacker can influence the module loading process, making the attack surface potentially broad in applications that use steal to load dynamic dependencies [2][4].

Impact

Successful exploitation allows an attacker to pollute the prototype chain, which can lead to denial of service, property injection, or in some cases, arbitrary code execution depending on how the application uses the polluted properties. The vulnerability is classified with a CVSS score that reflects the potential for significant impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, no official patch has been released for this vulnerability. Users are advised to update to a newer version of steal if available, or to implement input validation on any user-controlled data that flows into the requestedVersion parameter. The issue is tracked in the steal GitHub repository [2][3].