CVE-2022-37609

Vulnerability

The js-beautify library version 1.13.7 contains a prototype pollution vulnerability in the options.js file, specifically in the handling of the name variable at line 167 [1]. The code path allows an attacker to inject properties into the global Object.prototype when processing user-controlled input that is passed to the name variable without proper sanitization. This affects all installations using version 1.13.7.

Exploitation

An attacker can exploit this vulnerability by providing a crafted input string that includes prototype pollution payloads (e.g., __proto__ or constructor.prototype) as the name parameter. No authentication or special privileges are required; the attacker only needs to supply the malicious input to an application that uses js-beautify to process user-provided data. The vulnerability is triggered when the options.js module processes the name variable during beautification.

Impact

Successful exploitation allows an attacker to pollute the Object.prototype, which can lead to unexpected behavior in the application, including property injection that may affect other objects. This can potentially enable further attacks such as denial of service, privilege escalation, or arbitrary code execution depending on how the polluted properties are used by the application.

Mitigation

As of the available references, no official patch has been released for js-beautify version 1.13.7 [3]. Users should monitor the project repository for updates and consider applying input validation or sanitization to prevent prototype pollution payloads from reaching the vulnerable code path. If possible, upgrading to a newer version that addresses this issue is recommended.