CVE-2022-37265

Vulnerability

Overview

CVE-2022-37265 describes a prototype pollution vulnerability in steal 2.2.4, specifically within the babel.js file. The flaw resides in how the alias variable is handled, allowing an attacker to pollute the prototype of built-in JavaScript objects [1]. Prototype pollution occurs when user-controlled properties are assigned to an object's prototype, potentially altering the behavior of all objects of that type across the application.

Attack

Vector and Prerequisites

The vulnerability is exploited through the alias variable in ext/babel.js [3]. While the exact attack surface is not fully detailed in public advisories, prototype pollution in a module loader like steal typically requires the attacker to control input that flows into the vulnerable assignment. This could be achieved by supplying crafted module aliases or configuration values that are processed without adequate sanitization [4]. No authentication is needed if the attacker can influence the application's build-time or runtime module resolution process.

Impact

Successful exploitation allows an attacker to inject arbitrary properties into Object.prototype (or other global prototypes). This can lead to security bypasses, denial of service, or, in some contexts, remote code execution—depending on how the polluted prototype properties are used by the application and its dependencies. For example, setting a property like isAdmin to true on the prototype could bypass authorization checks.

Mitigation

As of the publication date, a fix has not been incorporated into a public release [4]. Users of steal 2.2.4 are advised to apply manual patches to the vulnerable code in babel.js or restrict the ability for untrusted users to provide module aliases. Since steal is a client-side and build-time module loader, the risk may be mitigated if untrusted input cannot reach the vulnerable path. No CVE mentions inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.