CVE-2023-26105

Vulnerability

Description The utilities npm package, in all versions, contains a Prototype Pollution vulnerability in the _mix function within lib/core.js. The _mix function performs a recursive merge of objects without proper sanitization of special properties like __proto__, constructor, or prototype [1]. This allows an attacker to pollute the base Object prototype by injecting properties through these keys during the merge process [2].

Exploitation

An attacker can exploit this by crafting a specially designed object that contains a __proto__ property. When the _mix function merges this malicious object with a target object, the polluting properties are copied onto Object.prototype, affecting all JavaScript objects in the application. The loadLocale function in utilities.i18n calls the vulnerable _mix function, providing a direct attack surface. No authentication is required; the attacker only needs to control the input passed to loadLocale (or any function that triggers the merge). A proof-of-concept (POC) demonstrates that passing {test:"123"} as a second parameter to loadLocale pollutes the prototype, so that {}.test returns "123" after the call [3].

Impact

Successful exploitation can lead to denial of service by triggering JavaScript exceptions, or it can tamper with application logic to force code paths that the attacker controls. In some scenarios, this may lead to remote code execution if the polluted prototype properties influence subsequent operations like property access or function calls [2].

Mitigation

As of the latest advisory, no patched version of the utilities package has been released. The package appears to be unmaintained. Users should avoid using this package or apply a patch to block dangerous keys in the merge logic. If immediate replacement is not possible, consider using a fork or a different utility library that is actively maintained and not vulnerable to Prototype Pollution [1].