A new vulnerability (CVE-2024-57079) has been identified in the lib.deepMerge function of the popular package @zag-js/core. This vulnerability lies within version .50. and allows attackers to initiate a Denial of Service (DoS) attack with a custom-designed payload. In this article, we will discuss the origin and consequences of this prototypical flaw and provide a simple explanation of the exploit. Furthermore, we will include code snippets, references, and suggestions for mitigating the risk associated with this vulnerability.

Vulnerability Details

The vulnerability (CVE-2024-57079) arises from a prototype pollution flaw. Put simply, prototype pollution refers to the ability of attackers to add or alter the prototype of JavaScript objects, potentially leading to unintended access and unauthorized modifications of sensitive data.

The lib.deepMerge function of @zag-js/core package is designed to merge multiple source objects into a target object. However, this function does not perform adequate validation of inputs, allowing an attacker to manipulate the target object's prototype by providing a malicious payload.

Consider the following code snippet taken from the lib.deepMerge function of @zag-js/core v.50.

function deepMerge(target, source) {
  if (isObject(target) && isObject(source)) {
    for (const key in source) {
      if (isObject(source[key])) {
        if (!target[key]) Object.assign(target, { [key]: {} });
        deepMerge(target[key], source[key]);
      } else {
        Object.assign(target, { [key]: source[key] });
      }
    }
  }
  return target;
}

Malicious Payload

{
  "__proto__": {
    "attackerData": "I can manipulate your data."
  }
}

Given that the @zag-js/core package does not implement input validation for the aforementioned deepMerge function, an attacker can insert the malicious payload into the source object. This action would consequently manipulate the target object's prototype and make the "attackerData" attribute exposed to the entire application that uses the vulnerable package.

Attack Scenario

An application that calls the deepMerge function to merge user data (potentially originating from external sources) is particularly exposed. By providing a malicious payload, the attacker can induce Denial of Service or compromise the security and stability of the affected applications.

Mitigation

As of now, there is no official patch provided by the package maintainers for this vulnerability. In the interim, users are advised to disable or restrict access to the function in question or consider alternative packages that offer secure deep merge functionality, such as lodash.

Original References

1. CVE-2024-57079: National Vulnerability Database (NVD)
2. GitHub Security Advisory

Conclusion

The CVE-2024-57079 vulnerability in the @zag-js/core package poses a significant security risk due to its potential for prototype pollution and subsequent Denial of Service attacks. Users should be vigilant and take steps to mitigate these threats by restricting access to the vulnerable function, using alternative packages with secure deep merge functionality, and applying updates as they become available.

Timeline

Published on: 02/05/2025 22:15:32 UTC
Last modified on: 03/18/2025 21:15:31 UTC