Dot diver is a TypeScript utility library that makes it easy to work with object paths written in dot notation. It's lightweight, dependency-free, and was steadily gaining traction for simplifying data-handling tasks in web applications. However, versions of dot diver prior to 1..2 contain a dangerous security flaw: Prototype Pollution in the setByPath function, tracked as CVE-2023-45827. This bug not only puts your codebase at risk, but in some circumstances, can open the door to full Remote Code Execution (RCE) — allowing an attacker to hijack your server.
What Is Prototype Pollution?
Prototype pollution bugs allow an attacker to add or change properties on the base Object.prototype in JavaScript. Because all objects inherit from Object.prototype, an attacker can poison any object that is created *after* the pollution occurs.
Why does this matter?
Where Dot Diver Went Wrong
In versions < 1..2, dot diver's setByPath function allows users to set any property path, including special properties like __proto__ or constructor.
Here is what a typical setByPath function might look like (simplified)
function setByPath(obj, path, value) {
const parts = path.split('.');
let current = obj;
for (let i = ; i < parts.length-1; i++) {
const part = parts[i];
if (current[part] === undefined) {
current[part] = {};
}
current = current[part];
}
current[parts[parts.length-1]] = value;
}
Notice there are no checks for reserved keys like __proto__. This means a user could trigger
const obj = {};
setByPath(obj, "__proto__.polluted", "POISONED!");
console.log({}.polluted); // "POISONED!"
This will pollute the prototype chain for every object in the runtime from this point on!
Why Is This So Dangerous?
In a web server or application, if input from a user is passed directly to setByPath, an attacker can pollute the prototype. Some frameworks, tools, or even your own code may then accidentally use these polluted properties, leading to logic bugs or far worse. In some cases, such as with certain deserialization libraries, prototype pollution can enable the attacker to reach RCE.
Exploit: Proof of Concept
Let's say a server is using dot diver before version 1..2, and takes user JSON data to update settings using setByPath:
const body = JSON.parse(req.body); // e.g., { "path": "__proto__.isAdmin", "value": true }
setByPath(userSettings, body.path, body.value);
An attacker could submit
{
"path": "__proto__.isAdmin",
"value": true
}
Now, on *any* object, isAdmin will appear true
const check = {};
if (check.isAdmin) {
// Attacker now has admin privileges!
}
Depending on your application's logic, this could mean privilege escalation, file overwrite, or even executing arbitrary functions.
Full Remote Code Execution (RCE)
If your code (or a loaded library) uses functions like eval, Function, or executes code based on property values, an attacker could leverage prototype pollution to get RCE. The specifics depend on how your app handles object properties after the pollution.
Vulnerability discovered: Early 2023
- Patched in: Commit 98daf567, released as version 1..2
- Change: The patch filters out keys like __proto__, constructor, and prototype in setByPath.
After the fix, setByPath will refuse to walk special keys that lead to prototype pollution
const forbidden = ['__proto__', 'constructor', 'prototype'];
// Rest of the logic prevents traversal through these keys
What Should You Do?
If you use dot diver:
Audit calls that use user-controlled input as a path.
There are NO safe workarounds for this vulnerability. Filtering input in your own code is error-prone and not recommended.
References
- CVE-2023-45827 on NVD
- Original fix on GitHub
- Release 1..2
- About Prototype Pollution (OWASP)
Conclusion
Prototype pollution is a subtle but devastating vulnerability — especially in libraries that deal with data paths like dot diver. If exploited, it can poison your entire runtime and possibly permit remote code execution. Upgrading to the latest version, and patching this in your own code, is non-negotiable.
Timeline
Published on: 11/06/2023 18:15:08 UTC
Last modified on: 11/14/2023 17:10:21 UTC