CVE-2023-26102

Vulnerability

Overview

CVE-2023-26102 affects all versions of the Rangy JavaScript library. The vulnerability resides in the extend() function within rangy-core.js. The function performs an unsafe recursive merge of object properties, which allows an attacker to pollute the Object.prototype by injecting properties such as __proto__ or constructor [1][3]. The root cause is that the merge operation copies properties from a source object to a target without properly sanitizing special prototype-related keys, enabling prototype pollution [4].

Attack

Vector

The attack is triggered through the rangy.util.extend({}, BAD_JSON, {}) call, where BAD_JSON can be crafted JSON like {"proto":{"test":123}}. When the recursive merge processes the __proto__ key, it merges into the actual prototype object, modifying global object properties. The proof-of-concept demonstrates that after the call, ({}).test returns 123, confirming successful prototype pollution [4].

Impact

Successful exploitation allows an attacker to inject arbitrary properties into the JavaScript inheritance chain. This can lead to denial of service via exceptions, tampering with application logic, or potentially remote code execution if the polluted properties are used in security-sensitive operations [3].

Mitigation

As of the analysis date, no patch was available for Rangy, and the library appears to be unmaintained [2]. Users should consider replacing Rangy with an alternative range and selection library or implementing a workaround by sanitizing input objects passed to extend() to prevent prototype pollution.