CVE-2022-37602

Vulnerability

Overview CVE-2022-37602 is a prototype pollution vulnerability found in grunt-karma version 4.0.1, a Grunt plugin for the Karma test runner [1]. The flaw resides in the tasks/grunt-karma.js file, where the key variable is used to set properties on an object without proper validation [4]. This allows an attacker to inject arbitrary properties into an object's prototype, leading to prototype pollution [2].

Exploitation and

Attack Surface The vulnerability is triggered through the key variable in the code at line 109 of grunt-karma.js [4]. An attacker can exploit this by crafting a malicious configuration that is processed by grunt-karma. The issue does not require authentication but relies on the victim loading a compromised configuration file or processing attacker-controlled input. The attack is performed locally or through supply chain scenarios where a user is tricked into using a malicious Gruntfile or Karma configuration [3].

Impact

Successful exploitation allows an attacker to pollute the Object prototype, which can lead to unexpected behavior, denial of service, or potentially arbitrary code execution depending on how the polluted properties are used by downstream code. Prototype pollution is a serious issue in JavaScript applications as it can affect the entire runtime environment [2].

Mitigation

Status As of the advisory date, no official patch has been released for grunt-karma 4.0.1. Users should consider applying manual input validation on the key variable or avoid processing untrusted configuration files. The maintainers have been notified via the public issue tracker [3]. Security teams should monitor for updates or mitigate by restricting the use of affected versions.