CVE-2021-25944

Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

### Overview Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. ### Details The NPM module `deep-defaults` can be abused by Prototype Pollution vulnerability since the function `_deepDefaults()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC The `_deepDefaults ()` function accepts `dest`, `src` as arguments. Due to the absence of validation on the values passed into the `src` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted. ```js var deepDefaults = require("deep-defaults") var malicious_payload = '{"__proto__":{"polluted":"Yes! Its Polluted"}}'; var obj ={}; console.log("Before : " + {}.polluted); deepDefaults(obj, JSON.parse(malicious_payload)); console.log("After : " + {}.polluted); ```

### Overview Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. ### Details The NPM module `deep-defaults` can be abused by Prototype Pollution vulnerability since the function `_deepDefaults()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC The `_deepDefaults ()` function accepts `dest`, `src` as arguments. Due to the absence of validation on the values passed into the `src` argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly be assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! Its Polluted" as it had been polluted. ```js var deepDefaults = require("deep-defaults") var malicious_payload = '{"__proto__":{"polluted":"Yes! Its Polluted"}}'; var obj ={}; console.log("Before : " + {}.polluted); deepDefaults(obj, JSON.parse(malicious_payload)); console.log("After : " + {}.polluted); ```

La vulnerabilidad de contaminación del prototipo en las versiones 1.0.0 hasta 1.0.5 de 'deep-defaults' permite al atacante causar una Denegación de Servicio y puede llevar a una ejecución de código remota