Skip to content

Security Fix for Prototype Pollution - huntr.dev #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 11, 2021
Merged

Security Fix for Prototype Pollution - huntr.dev #252

merged 2 commits into from
Oct 11, 2021
+3 −0

Conversation

@huntr-helper
Copy link

@huntr-helper huntr-helper commented Mar 29, 2021

@yoshino-s (https://huntr.dev/users/Yoshino-s) has fixed a potential Prototype Pollution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @yoshino-s, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-expr-eval/

⚙️ Description *

With speficific input attckers can define properties on prototype, which will lead to prototype pollution.

Need node version>=12.0.0, which introduce Object.fromEntries

💻 Technical Description *

when we access global value, it will just search by item.value in expr.functions, with which we can also access to prototype, __proto__, constructor, and assign some properties on it.

🐛 Proof of Concept (PoC) *

// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted

🔥 Proof of Fix (PoF) *

// PoF.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= undefined

@silentmatt silentmatt mentioned this pull request Mar 29, 2021
Open
@JamieSlome
Copy link

JamieSlome commented Apr 22, 2021

@silentmatt - any update here?

1 similar comment
@yoshino-s
Copy link
Contributor

yoshino-s commented Aug 5, 2021

@silentmatt - any update here?

@silentmatt silentmatt merged commit 6e889e0 into silentmatt:master Oct 11, 2021
@albanm
Copy link

albanm commented Jun 20, 2024

This was merged but never released and it is a critical vulnerability. Can it be released ?

@vladko312
Copy link

vladko312 commented Jun 18, 2025

@silentmatt - any update here?

@yoshino-s

This package seems to have a lot of weekly downloads despite being mostly abandoned. This prototype pollution also has a side effect of the function constructor access leading to RCE. It seems like the best way to fix this problem would be a direct CVE request to MITRE or other appropriate CNA. Since this vulnerability was found by you, I believe, you should get the credit for the CVE too.

@noren95
Copy link

noren95 commented Nov 16, 2025

This one was assigned CVE-2025-13204 and fixed in expr-eval-fork

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@huntr-helper @JamieSlome @yoshino-s @albanm @vladko312 @noren95 @silentmatt