Prototype Pollution vulnerability affecting @apidevtools/json-schema-ref-parser, versions 11.0.0, 11.1.0

[tariqhawis]

Overview

json-schema-ref-parser is an NPM package for Parse, Resolve, and Dereference JSON Schema $ref pointers.

Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to this function.

Details:

The vulnerable functions: `bundle()`, `parse()`, `resolve()`, `dereference()` passes the argument "options" to an unsafe merge method, which recursively copy properties from one object to another. Such a function has the potential to modify any object reachable from the destination object, and the built-in Object.prototype is usually reachable through the special properties __proto__ and constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

The call stack :

getNewOptions (@apidevtools/json-schema-ref-parser/dist/lib/options.js:80)
normalizeArgs (@apidevtools/json-schema-ref-parser/dist/lib/normalize-args.js:35)
$RefParser.parse (@apidevtools/json-schema-ref-parser/dist/lib/index.js:71)
Module.parse (@apidevtools/json-schema-ref-parser/dist/lib/index.js:138

PoC:

sent in a private message to the maintainer

How to prevent:

• Freeze the root prototype using Object.freeze
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object

  -- Snyk.io

[jonluca]

Fixed in https://github.com/APIDevTools/json-schema-ref-parser/actions/runs/8160582452