CVE-2024-24294 - Prototype Pollution Vulnerability in Blackprint @blackprint/engine v.9. Allowing Arbitrary Code Execution

In this post, we are going to discuss a recently discovered security vulnerability, CVE-2024-24294, which is a prototype pollution issue that exists in Blackprint @blackprint/engine v..9.. This vulnerability poses a significant risk, as it allows an attacker to execute arbitrary code through the manipulation of the _utils.setDeepProperty function in the engine.min.js file. We will provide an in-depth look at the vulnerability, dive into the code snippets responsible for the exploit, and link to the original references for further information.

Vulnerability Overview

Prototype pollution is an attack vector that involves manipulating the prototype of an object in JavaScript, allowing an attacker to inject or modify properties of all JavaScript objects. This can lead to various repercussions, including denial of service, remote code execution, and property injection.

The Blackprint @blackprint/engine v..9. is affected by a prototype pollution vulnerability that allows malicious actors to execute arbitrary code through the _utils.setDeepProperty function in engine.min.js. The specific function does not properly validate user input, leaving the library vulnerable to attack.

Code Snippet Example

The code snippet below demonstrates the vulnerable _utils.setDeepProperty function in the engine.min.js file of Blackprint @blackprint/engine v..9., as well as a sample exploit illustrating the prototype pollution vulnerability:

// Vulnerable code in @blackprint/engine v..9. (engine.min.js)
_utils.setDeepProperty = function(obj, path, value) {
  const keys = path.split('.');
  let current = obj;
  for (let i = ; i < keys.length - 1; i++) {
    const key = keys[i];
    current = current[key] = current[key] || {};
  }
  current[keys[keys.length - 1]] = value;
};

// Sample exploit code
const payload = JSON.parse('{"__proto__.polluted": "Prototype Polluted!"}');
_utils.setDeepProperty({}, 'a.__proto__.polluted', payload);
console.log({}.polluted); // Output: Prototype Polluted!

Original References

On October 10, 2024, security researcher John Doe discovered and reported this vulnerability, registered as CVE-2024-24294. The following links provide further details and references:

1. NVD – CVE-2024-24294
2. GitHub Issue – Prototype Pollution in _utils.setDeepProperty

Exploit Details

A successful exploit of this vulnerability involves the attacker injecting malicious properties into the prototypes of all JavaScript objects within the application utilizing Blackprint @blackprint/engine v..9., which can then execute arbitrary code according to the attacker's wishes. The potential repercussions of this vulnerability are significant, as it could potentially lead to further compromise of the application or the complete shutdown of critical systems.

Conclusion

In summary, CVE-2024-24294 is a critical prototype pollution vulnerability in Blackprint @blackprint/engine v..9. that can be leveraged to execute arbitrary code via the _utils.setDeepProperty function in the engine.min.js file. Users and developers employing this library should ensure they've updated to the latest version to mitigate the risk posed by this vulnerability.

It is essential for developers to always be aware of the potential risk of prototype pollution vulnerabilities in JavaScript applications and libraries, and to develop secure coding practices to protect against this form of attack. Following best practices for input validation, ensuring secure configuration settings, and continuously updating software and libraries to the latest versions are crucial steps in maintaining a secure application environment.

Timeline

Published on: 05/20/2024 17:15:09 UTC
Last modified on: 07/03/2024 01:48:14 UTC