CVE-2022-21803 - Prototype Pollution in NConf Library Affecting Versions Prior to .11.4: Explained with Code Snippets and Exploit Details

The CVE-2022-21803 vulnerability is found in the nconf package, specifically in versions prior to .11.4. This affects applications that use the "memory" engine for storing configuration data. It is due to a Prototype Pollution that can be exploited by an attacker by providing a crafted property. This can lead to modifying the properties on the Object.prototype, resulting in various issues, including potential security risks. In this long read, we will discuss the vulnerability in detail, demonstrate it with code snippets, and provide links to original references for further study.

Understanding the CVE-2022-21803 Vulnerability

To understand the vulnerability, first, let's take a look at the nconf package, which is a popular Node.js module for managing configuration data. The package offers a flexible key-value store that supports different storage engines, including the memory engine.

The problem lies in the .set() function of the memory engine, which is responsible for setting the configuration properties. This function does not properly validate the input, leading to Prototype Pollution. An attacker can exploit this by providing a crafted property that modifies the underlying Object.prototype, thereby impacting all objects in the application.

Here's an example of how Prototype Pollution can occur

const Nconf = require('nconf');

const config = new Nconf.Provider({
  type: 'memory',
  readOnly: false
});

config.set('__proto__.test', 'CVE-2022-21803');

console.log({}.test); // Output: 'CVE-2022-21803'

In the above example, we created a new nconf.Provider instance using the memory engine, which is writable. We then called the .set() function with a crafted property __proto__.test. This causes the test property to be added to all objects in the application as seen in the output.

Exploit Details

To exploit this vulnerability, an attacker can provide a JSON object containing a crafted property. This could be done through various attack vectors, depending on the application. For instance, if the application accepts user input as configuration parameters, an attacker could craft a payload that gets injected into the configuration.

Here's an example of how an attacker could exploit the vulnerability

const payload = JSON.parse('{"__proto__.polluted": "Prototype Pollution!"}');

config.merge(payload);

console.log({}.polluted); // Output: 'Prototype Pollution!'

In the above example, we used the .merge() function to update the configuration with the attacker's payload. This resulted in the polluted property being added to all objects in the application.

Mitigation

To mitigate this vulnerability, you should update the nconf package to version .11.4 or later, which contains a fix for this issue. You can do this by updating your package.json file and running npm update.

{
  "dependencies": {
    "nconf": "^.11.4"
  }
}

Additionally, you should always validate user inputs before using them in your application to prevent any malicious payloads from being injected.

For more details about this vulnerability, you can refer to the following resources

1. NPM Security Advisory: https://www.npmjs.com/advisories/21803
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21803
3. GitHub Commit with Fix: https://github.com/indexzero/nconf/commit/dff1e003acb1b5c4e5aabc41740ad94e5e34391

Conclusion

CVE-2022-21803 is a Prototype Pollution vulnerability found in the nconf package, affecting the memory engine. It is crucial to update your nconf package to version .11.4 or later to mitigate this issue. Always ensure user input validation and follow secure coding best practices to prevent similar vulnerabilities in the future.

Timeline

Published on: 04/12/2022 16:15:00 UTC
Last modified on: 04/20/2022 14:07:00 UTC