CVE-2024-36581

CVE-2024-36581: Prototype Pollution in @abw/badger-database

The vulnerability is a Prototype Pollution issue in the @abw/badger-database package version 1.2.1. The flaw exists in the dist/badger-database.esm module, where the setDebug function unsafely processes user-supplied objects. An attacker can inject malicious properties, such as __proto__ or constructor.prototype, into the object's prototype chain. This is a classic Prototype Pollution pattern where the lack of input sanitization allows manipulation of the global Object.prototype [1][3].

Exploitation requires the attacker to supply a crafted JSON payload to the setDebug function. The proof-of-concept demonstrates that parsing JSON containing {"__proto__":{"polluted":true}} and passing it to setDebug results in the polluted property being set on all object prototypes. No authentication or special network position is required; any attacker who can deliver this payload (for example, via an application endpoint that uses the library) can trigger the vulnerability [3].

The impact is severe. Once the prototype is polluted, the attacker can alter the behavior of all objects inheriting from the affected prototype. This can lead to Denial of Service (DoS), Remote Code Execution (RCE), or Cross-Site Scripting (XSS), depending on how the application logic uses the polluted properties. The CVSS v3 score is 7.6 (High), reflecting the low attack complexity and high potential impact [2][3].

As of the publication date, the maintainer has not provided an official patch. Users are urged to implement proper input sanitization and validation, particularly blocking inputs containing __proto__ and constructor.prototype. Until an update is released, any application using @abw/badger-database version 1.2.1 should be considered vulnerable and should apply defensive coding practices [3].