CVE-2022-21190: Bypassing the Convict Package Version 6.2.3 Bypass of CVE-2022-22143

CVE-2022-21190 affects the package Convict before version 6.2.3, allowing attackers to bypass the security fix introduced in response to CVE-2022-22143. This issue occurs because the fix relies on the startsWith method, which does not adequately prevent vulnerabilities. Attackers can easily bypass this security measure by prepending potentially dangerous paths with any string value followed by a dot, such as foo.__proto__ or foo.this.constructor.prototype.

Code Snippet Illustrating the Vulnerability

The vulnerability occurs because the implementation of the startsWith method in Convict is flawed. The following code snippet demonstrates this problem:

const checkForbiddenPath = (path) => {
  if (
    path.startsWith("__proto__") ||
    path.startsWith("this.constructor.prototype")
  ) {
    throw new Error("Forbidden path detected");
  }
};

const handleInput = (input) => {
  const pathParts = input.split(".");
  for (const part of pathParts) {
    checkForbiddenPath(part);
  }

  // Proceed with processing the input
};

handleInput("foo.__proto__.bar"); // This input bypasses the security check

As seen in the example above, an attacker can bypass the startsWith security check by simply prepending a string, such as foo, to their malicious input. This enables them to exploit the vulnerability in Convict's package implementation.

To exploit this vulnerability, an attacker can craft a payload using JSON, as shown below

{
  "foo.__proto__.bar": "value"
}

Upon processing this payload, the string foo.__proto__.bar bypasses the security check implemented in Convict's package, effectively granting the attacker access to potentially sensitive information or enabling them to carry out other malicious activities.

Solution and Recommendations

To mitigate this vulnerability, users should update to Convict version 6.2.3 or later. Developers should also consider improving their code's implementation to address this specific bypass, for example by updating the checkForbiddenPath function.

Users can update their Convict package by running the command

npm install convict@latest

Developers should also consider implementing more robust security checks that do not rely solely on the startsWith method. A more comprehensive method would be to tokenize input and check each token for forbidden paths. This way, vulnerabilities such as the one described in this post can be effectively mitigated and prevented.

Conclusion

The CVE-2022-21190 vulnerability in the Convict package before version 6.2.3 demonstrates the importance of implementing robust security checks and regularly updating packages. By understanding and addressing the underlying issues with the startsWith method, developers can better secure their code and applications from potential attacks and associated risks.

Timeline

Published on: 05/13/2022 20:15:00 UTC
Last modified on: 05/24/2022 14:11:00 UTC