CVE-2023-45827: Dot Diver Prototype Pollution Vulnerability in Versions Prior to 1..2 Leading to Remote Code Execution (RCE)
Dot diver is a popular, lightweight, powerful, and dependency-free TypeScript utility library that helps developers perform various tasks by availing types and functions to work with object paths in dot notation. However, it recently came to light that there is a Prototype Pollution vulnerability in the setByPath function, affecting versions earlier than 1..2, which can eventually lead to remote code execution (RCE).
This blog post explores the details of this vulnerability (CVE-2023-45827), providing a code snippet, links to original references, and insight into the exploit. It is advised that users upgrade to the latest version (1..2) to safeguard themselves against this vulnerability.
Code Snippet Demonstrating the Vulnerability
Here's the code snippet showcasing the vulnerability in the setByPath function in earlier versions of Dot diver:
/**
* A vulnerable setByPath function implementation before version 1..2.
*/
function setByPath(target: any, path: string, value: any): any {
const segments = path.split('.');
for (let i = ; i < segments.length - 1; i++) {
target = target[segments[i]] = target[segments[i]] || {};
}
target[segments[segments.length - 1]] = value;
}
This vulnerability occurs due to the improper handling of object paths, which could result in Prototype Pollution when executing JavaScript functions through the prototype chain.
Exploit Details
An attacker can exploit this vulnerability using a crafted path string parameter. For instance, when the path parameter specifies a property on the prototype, an attacker can modify the prototype of the objects in the application, consequently manipulating the application's behavior and potentially leading to remote code execution.
Here's an example of how the exploit could work
const attackerPayload = '{"__proto__": {"hijack": "Executed!"}}';
const attackerObject = JSON.parse(attackerPayload);
setByPath({}, 'attackerObject.hijack', attackerObject.hijack);
console.log(({} as any).hijack); // Output: Executed!
In this example, the attacker created a payload that manipulates the prototype chain by setting the hijack property. Once executed, it tampers with the objects in the application, possibly resulting in remote code execution.
Security Measures and Fixes
The Dot diver team acknowledged this vulnerability and addressed the issue in commit 98daf567. The fix has been released in version 1..2 of the library. Users are highly advised to upgrade the library to the latest version, taking advantage of the patch addressing this vulnerability. There are no known workarounds to this issue as of yet.
To upgrade the Dot diver library, run the following command
npm i dot-diver@1..2
For more information about the fix and the commit, please visit the following links
- Dot Diver Github Repository
- Commit Addressing the Vulnerability (98daf567)
Conclusion
Adopting a proactive approach to stay updated on security issues and upgrading to the latest versions of software libraries is critical in ensuring a secure application environment. This post provided insights into the remote code execution vulnerability discovered in the Dot diver library, CVE-2023-45827, advising users to upgrade to the latest version (1..2) to mitigate the risks associated.
As developers and users, make sure to stay informed about similar security issues and updates for the best protection against vulnerabilities.
Timeline
Published on: 11/06/2023 18:15:08 UTC
Last modified on: 11/14/2023 17:10:21 UTC