I would like to report prototype pollution in jQuery.
It allows an attacker to inject properties on Object.prototype.
module name: jqueryversion:3.3.1npm page: https://www.npmjs.com/package/jquery
jQuery is a fast, small, and feature-rich JavaScript library.
1.6M NPM downloads in the last week
But this is jQuery, so I’d expect there are quite a few more downloads outside of NPM.
$.extend
can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. Note that only the “deep” version of $.extend
is affected.
Users sometimes use $.extend
for things like cloning an object or filling in defaults in an object with some options in it. It is not at all obvious that this is an unsafe operation.
It is a variant of this vulnerability:
https://hackerone.com/reports/310443
Craft an object with a named __proto__
property, usually through JSON.parse
, and pass it to $.extend
:
$.extend(true, {}, JSON.parse('{"__proto__": {"devMode": true}}'))
console.log({}.devMode); // true
Tested on jQuery 3.3.1 (and a few older versions), using Chrome 70 and Firefox 63.
How to escalate this depends on the application. After obtaining prototype pollution, an attacker can generally change the default value for any option provided to a function that takes an “options” argument, which is a fairly common pattern in JavaScript.