CVE-2022-37258

Vulnerability

Overview

CVE-2022-37258 is a prototype pollution vulnerability in the convertLater function within npm-convert.js of stealjs steal version 2.2.4. The root cause is improper handling of the packageName variable, which can be manipulated to set arbitrary properties on Object.prototype [1][2][4]. This occurs because the function does not sanitize or validate the input before using it in a merge or assignment operation that recursively sets properties on an object [4].

Exploitation

An attacker can exploit this vulnerability by providing a crafted packageName value that includes prototype pollution payloads (e.g., __proto__ or constructor.prototype). No authentication is required if the attacker can control the input to the convertLater function, which may be exposed through module loading or dependency resolution processes [2]. The attack surface is limited to scenarios where untrusted data is passed to steal's npm conversion logic, such as when loading packages from external sources.

Impact

Successful exploitation allows an attacker to pollute the global Object.prototype, affecting all objects in the application. This can lead to denial of service, property injection, or potentially arbitrary code execution if the polluted properties are used in security-sensitive operations [1][2]. The severity is high because prototype pollution can bypass input validation and affect the entire application's behavior.

Mitigation

As of the publication date, no official patch has been released for steal 2.2.4 [2]. Users are advised to avoid passing untrusted input to the affected function, or to upgrade to a patched version if one becomes available. The issue is tracked on GitHub [2], and the vulnerable code is located at line 362 of ext/npm-convert.js [4].