Hej! 👋 This repository contains a collection of Server-Side Prototype Pollution gadgets found in Node.js, Deno standard libraries, and various third-party NPM packages. We also compile information about known exploits against popular applications to showcase the impact of these gadgets.
Prototype pollution is a vulnerability specific to JavaScript and TypeScript that allows an attacker to modify an object's prototype with attacker-controlled properties. The severity of these vulnerabilities hinges on gadgets, fragments of existing code in vulnerable applications that read undefined properties and execute security-sentitive actions. For instance, these gadgets can lead to Remote Code Execution (RCE) attacks.
If you're new to server-side Prototype Pollution, check out our DEF CON 31 talk for a quick 20-minute introduction to Prototype Pollution vulnerabilities in Node.js, gadgets, and an example of a real RCE exploit. All accompanying materials, such as CodeQL queries, benchmarks, experimental results, and links to extended talks, are available in the repo Silent Spring.
We also recommend checking out these papers and blog posts:
- The seminal paper "JavaScript prototype pollution attack in NodeJS" by Olivier Arteau provides many details on the exploitation and mitigation of Prototype Pollution on the server-side.
- The paper
"Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js"
by Shcherbakov et al. introduces a tool for Prototype Pollution detection and
and the first gadgets in Node.js stdlib, including a gadget in
require. This repository was developed as a result of this research project. 🤓 - The blog post "Server-side prototype pollution: Black-box detection without the DoS" by Gareth Heyes focuses on server-side gadgets and how to detect Prototype Pollution using black-box techniques.
- The paper "Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences" by Zhengyu Liu et al. presents a methodology for constructing chains of Prototype Pollution gadgets.
- The write-up "Remote Code Execution via Prototype Pollution in Blitz.js" provides an exciting story of exploiting Prototype Pollution in Blitz.js, a fullstack toolkit for Next.js.
- Is Prototype Pollution possible on the client-side? Check out this repo
Note
If you want to add new gadgets, please create a Pull Request. Feel free to ask any questions, discuss new ideas for Prototype Pollution research, or suggest improvements for this repo. Contact: Mikhail Shcherbakov, Eric Cornelissen, and Musard Balliu
| Function | Polluted Properties | Type | Notes | Found by |
|---|---|---|---|---|
| child_process.exec | NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.execFile | NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.execFileSync | shell; NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.execFileSync | shell; input |
ACI | Silent Spring | |
| child_process.execSync | NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.execSync | shell; env |
ACI | Michał Bentkowski and Silent Spring | |
| child_process.execSync | shell; input |
ACI | Silent Spring | |
| child_process.fork | NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.spawn | shell; env |
ACI | Silent Spring | |
| child_process.spawn | shell; input |
ACI | Silent Spring | |
| child_process.spawnSync | shell; NODE_OPTIONS |
ACI | Silent Spring | |
| child_process.spawnSync | shell; env |
ACI | Michał Bentkowski and Silent Spring | |
| child_process.spawnSync | shell; input |
ACI | Silent Spring | |
| fetch | method; body; referrer |
Privilege Escalation | TBA | |
| fetch | socketPath |
SSRF | TBA | |
| http.get | hostname, headers, method, path, port |
SSRF | TBA | |
| http.request | hostname, headers, method, path, port |
SSRF | TBA | |
| http.Server.listen | backlog |
Segfault | TBA | |
| https.get | hostname, headers, method, path, port, NODE_TLS_REJECT_UNAUTHORIZED |
SSRF | TBA | |
| https.request | hostname, headers, method, path, port, NODE_TLS_REJECT_UNAUTHORIZED |
SSRF | TBA | |
| import | source |
ACE | TBA | |
| tls.connect | path, port, NODE_TLS_REJECT_UNAUTHORIZED |
Second order SSRF | TBA | |
| require | main; NODE_OPTIONS |
ACI | main property in package.json of the loaded package |
Silent Spring |
| require | main; NODE_OPTIONS |
ACI | package.json in the directory from the argument |
TBA |
| Worker.constructor | argv, env, eval |
Second order ACE and env injection | TBA |
| Function | Polluted Properties | Type | Notes | Found by |
|---|---|---|---|---|
| fetch | body; headers; method; 0 |
Server Side Request Forgery | Limited by network permissions | TBA |
| Deno.makeTempDir | dir |
Path Traversal | Limited by file system permissions | TBA |
| Deno.makeTempDir | prefix |
Path Traversal | Limited by file system permissions* |
TBA |
| Deno.makeTempDirSync | dir |
Path Traversal | Limited by file system permissions | TBA |
| Deno.makeTempDirSync | prefix |
Path Traversal | Limited by file system permissions* |
TBA |
| Deno.makeTempFile | dir |
Path Traversal | Limited by file system permissions | TBA |
| Deno.makeTempFile | prefix |
Path Traversal | Limited by file system permissions* |
TBA |
| Deno.makeTempFileSync | dir |
Path Traversal | Limited by file system permissions | TBA |
| Deno.makeTempFileSync | prefix |
Path Traversal | Limited by file system permissions* |
TBA |
| Deno.mkdir | mode |
Privilege Escalation | options must not be undefined |
TBA |
| Deno.mkdirSync | mode |
Privilege Escalation | options must not be undefined |
TBA |
| Deno.open | append |
Unauthorized Modifications | TBA | |
| Deno.open | mode |
Privilege Escalation | TBA | |
| Deno.open | truncate |
Unauthorized Modifications | TBA | |
| Deno.openSync | append |
Unauthorized Modifications | TBA | |
| Deno.openSync | mode |
Privilege Escalation | TBA | |
| Deno.openSync | truncate |
Unauthorized Modifications | TBA | |
| Deno.writeFile | append |
Unauthorized Modifications | TBA | |
| Deno.writeFile | mode |
Privilege Escalation | Affects new and existing files | TBA |
| Deno.writeFileSync | append |
Unauthorized Modifications | TBA | |
| Deno.writeFileSync | mode |
Privilege Escalation | Affects new and existing files | TBA |
| Deno.writeTextFile | append |
Unauthorized Modifications | TBA | |
| Deno.writeTextFile | mode |
Privilege Escalation | Affects new and existing files | TBA |
| Deno.writeTextFileSync | append |
Unauthorized Modifications | TBA | |
| Deno.writeTextFileSync | mode |
Privilege Escalation | Affects new and existing files | TBA |
| Deno.run | cwd |
Path Traversal | TBA | |
| Deno.run | uid |
Privilege Escalation | unstable option | TBA |
| Deno.run | gid |
Privilege Escalation | unstable option | TBA |
| Deno.Command | cwd |
Path Traversal | TBA | |
| Deno.Command | uid |
Privilege Escalation | TBA | |
| Deno.Command | gid |
Privilege Escalation | TBA | |
| node:child_process.spawn | uid |
Privilege Escalation | TBA | |
| node:child_process.spawn | gid |
Privilege Escalation | TBA | |
| node:child_process.spawn | shell; env |
Arbitrary Code Execution | Limited by run permissions | TBA |
| node:child_process.spawnSync | shell; env |
Arbitrary Code Execution | Limited by run permissions | TBA |
| node:child_process.exec | shell; env |
Arbitrary Code Execution | Limited by run permissions | TBA |
| node:child_process.execSync | shell; env |
Arbitrary Code Execution | Limited by run permissions | TBA |
| node:child_process.execFileSync | shell; env |
Arbitrary Code Execution | Limited by run permissions | TBA |
| node:fs.appendFile | length |
Hanging | Can't be prevented (not an option) | TBA |
| node:fs.appendFile | offset |
Out of Memory | Can't be prevented (not an option) | TBA |
| node:fs.writeFile | length |
Hanging | Can't be prevented (not an option) | TBA |
| node:fs.writeFile | offset |
Out of Memory | Can't be prevented (not an option) | TBA |
| node:http.request | hostname; method; path; port |
Server Side Request Forgery | Limited by network permissions | TBA |
| node:https.request | hostname; method; path; port |
Server Side Request Forgery | Limited by network permissions | TBA |
| node:zlib.createBrotliCompress | params |
Panic | TBA | |
| json.JsonStringifyStream | prefix |
Unauthorized Modifications | TBA | |
| json.JsonStringifyStream | suffix |
Unauthorized Modifications | TBA | |
| log.FileHandler | formatter |
Log Pollution | TBA | |
| dotenv.load | defaultsPath |
Env injection | TBA | |
| dotenv.load | envPath |
Env injection | TBA | |
| dotenv.load | export |
Env injection | TBA | |
| dotenv.loadSync | envPath |
Env injection | TBA | |
| dotenv.loadSync | defaultsPath |
Env injection | TBA | |
| dotenv.loadSync | export |
Env injection | TBA | |
| tar.Tar.append | uid |
Privilege Escalation | TBA | |
| tar.Tar.append | gid |
Privilege Escalation | TBA | |
| yaml.stringify | indent |
Out of Memory | TBA |
*: This was not the case prior to Deno v1.41.1, see CVE-2024-27931.
| Package | Version | Function | Polluted Properties | Type | Found by |
|---|---|---|---|---|---|
| asyncawait | 3.0.0 | require | shell; NODE_OPTIONS |
ACI | Dasty |
| better-queue | 3.8.12 | push | store |
LFI* | Dasty |
| binary-parser | 2.2.1 | parse | alias |
ACE | Dasty |
| bson | 4.7.2 | deserialize | evalFunctions |
ACE | Silent Spring |
| chrome-launcher | 0.15.2 | launch | shell; NODE_OPTIONS |
ACI | Dasty |
| coffee | 5.5.0 | fork | env |
ACI | Dasty |
| coffee | 5.5.0 | spawn | shell; env |
ACI | Dasty |
| crawler | 1.4.0 | queue | repo |
LFI* | Dasty |
| cross-port-killer | 1.4.0 | kill | shell; env |
ACI | Dasty |
| cross-spawn | 7.0.3 | spawn | shell; NODE_OPTIONS |
ACI | Dasty |
| cross-spawn | 7.0.3 | spawn.sync | shell; NODE_OPTIONS |
ACI | Dasty |
| csv-write-stream | 2.0.0 | end | separator |
ACE | Dasty |
| dockerfile_lint | 0.3.4 | DockerFileValidator | arrays.regex |
ACE | Dasty |
| download-git-repo | 3.0.2 | download-git-repo | clone; GIT_SSH_COMMAND |
ACI | Dasty |
| dtrace-provider | 0.8.5 | require | any | LFI* | Dasty |
| ejs | 3.1.9 | render | client; escapeFunction |
ACE | Dasty |
| esformatter | 0.11.3 | format | plugins |
LFI | Dasty |
| exec | 0.2.1 | exec | shell |
ACI | Dasty |
| external-editor | 3.1.0 | edit | shell; NODE_OPTIONS |
ACI | Dasty |
| external-editor | 3.1.0 | editAsync | shell; NODE_OPTIONS |
ACI | Dasty |
| fibers | 5.0.3 | require | shell; NODE_OPTIONS |
ACI | Dasty |
| find-process | 1.4.7 | find-process | shell; NODE_OPTIONS |
ACI* | Dasty |
| fluent-ffmpeg | 2.1.2 | preset | presets |
LFI* | Dasty |
| forever-monitor | 3.0.3 | start | command |
ACI | Dasty |
| gh-pages | 5.0.0 | publish | shell; NODE_OPTIONS |
ACI | Dasty |
| gift | 0.10.2 | clone | shell; NODE_OPTIONS |
ACI | Dasty |
| git-clone | 0.2.0 | git-clone | GIT_SSH_COMMAND |
ACI | Dasty |
| gm | 1.25.0 | gm | appPath |
ACI | Dasty |
| growl | 1.10.5 | growl | exec |
ACI | Dasty |
| hbsfy | 2.8.1 | configure | p |
LFI | Dasty |
| hbsfy | 2.8.1 | compile | p |
LFI | Dasty |
| jsdoc-api | 8.0.0 | explain | NODE_OPTIONS |
ACI | Dasty |
| jsdoc-api | 8.0.0 | explainSync | env.NODE_OPTIONS |
ACI | Dasty |
| jsdoc-api | 8.0.0 | renderSync | NODE_OPTIONS |
ACI | Dasty |
| jsdoc-to-markdown | 8.0.0 | render | NODE_OPTIONS; source |
ACI | Dasty |
| jsdoc-to-markdown | 8.0.0 | renderSync | NODE_OPTIONS; source |
ACI | Dasty |
| liftoff | 4.0.0 | prepare | env.NODE_OPTIONS |
ACI | Dasty |
| lodash.template | 4.5.0 | lodash.template | sourceURL |
ACE | Alex Brasetvik |
| mrm-core | 7.1.14 | install | shell; env.NODE_OPTIONS |
ACI | Dasty |
| nodemailer | 6.9.1 | sendMail | sendmail; path; args |
ACI | Dasty |
| ping | 0.4.4 | sys.probe | shell |
ACI | Dasty |
| play-sound | 1.1.5 | play-sound | players |
ACI | Dasty |
| play-sound | 1.1.5 | play | player; env.NODE_OPTIONS |
ACI | Dasty |
| primus | 8.0.7 | parser | parser; value |
LFI | Dasty |
| primus | 8.0.7 | transformer | transformer; value |
LFI | Dasty |
| python-shell | 5.0.0 | runString | pythonPath; NODE_OPTIONS |
ACI | Dasty |
| require-from-string | 2.0.2 | require-from-string | prependPaths |
LFI* | Dasty |
| requireg | 0.2.2 | resolve | shell; env.NODE_OPTIONS |
ACI | Dasty |
| sonarqube-scanner | 3.0.1 | sonarqube-scanner | version |
ACI | Dasty |
| teen_process | 2.0.4 | start | shell; env.NODE_OPTIONS |
ACI | Dasty |
| the-script-jsdoc | 2.0.4 | the-script-jsdoc | shell; env.NODE_OPTIONS |
ACI | Dasty |
| tingodb | 0.6.1 | findOne | _sub |
ACE | Dasty |
| window-size | 1.1.1 | tput | shell; NODE_OPTIONS |
ACI | Dasty |
| winreg | 1.2.4 | values | shell; NODE_OPTIONS |
ACI | Dasty |
| workerpool | 6.4.0 | exec | env.NODE_OPTIONS |
ACI | Dasty |
*: denotes the gadgets that require the attacker’s control of a local file for
arbitrary code execution.
| Vulnerability Report | Application | Version | Attack | Gadget |
|---|---|---|---|---|
| CVE-2019-7609 | Kibana | 6.6.0 | RCE | child_process.spawn.lnx |
| HackerOne #852613 | Kibana | 7.6.2 | RCE | lodash.template |
| HackerOne #861744 | Kibana | 7.7.0 | RCE | lodash.template |
| Reported by Silent Spring | npm cli | 8.1.0 | RCE | child_process.spawn |
| CVE-2022-24760 | Parse Server | 4.10.6 | RCE | bson |
| CVE-2022-39396 | Parse Server | 5.3.1 | RCE | bson |
| CVE-2022-41878 | Parse Server | 5.3.1 | RCE | bson |
| CVE-2022-41879 | Parse Server | 5.3.1 | RCE | bson |
| Reported by Silent Spring | Parse Server | 5.3.1 | RCE | require #1 |
| CVE-2023-23917 | Rocket.Chat | 5.1.5 | RCE | bson |
| CVE-2023-31414 | Kibana | 8.7.0 | RCE | require #2 |
| CVE-2023-31415 | Kibana | 8.7.0 | RCE | nodemailer |
| CVE-2023-36475 | Parse Server | 6.2.1 | RCE | bson |