CVE-2023-26158

The mockjs package, used for generating simulation data, is vulnerable to prototype pollution in all versions. The vulnerability resides in the Util.extend function, which fails to check whether an attribute resolves to the object prototype, such as __proto__, constructor, or prototype. This allows an attacker to manipulate properties on Object.prototype through user-controlled inputs passed to the extend() method in Mock.Handler, Mock.Random, Mock.RE.Handler, or Mock.Util [1].

Exploitation requires the attacker to control inputs to these extend() methods. Since prototype pollution affects all objects inherited from Object.prototype, an attacker can inject or modify properties globally. This can be achieved by supplying a malicious object with a __proto__ property that contains the desired pollution [1].

The impact of this vulnerability includes denial of service by triggering JavaScript exceptions or altering application logic. More critically, it can lead to remote code execution if the attacker is able to force code paths that rely on polluted properties [2]. The exact severity depends on how the affected application uses mockjs and whether user input reaches the vulnerable functions.

As a workaround, the vendor suggests adding a denylist of dangerous attributes within the Util.extend function, specifically skipping properties named __proto__, constructor, and prototype. No official patch has been released as of the publication date, so users must apply this workaround manually or avoid using user-controlled inputs with the affected methods [1].