Prototype Pollution using extend() in utils.js

[lelecolacola123]

Hi!There's a prototype pollution vulnerability in function extend() in the file utils.js.Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.the risk locate is in here: https://github.com/kimmobrunfeldt/progressbar.js/blob/74536b9eeeaaf51144706d918ed5a0a679631d96/src/utils.js#L20 https://github.com/kimmobrunfeldt/progressbar.js/blob/74536b9eeeaaf51144706d918ed5a0a679631d96/src/utils.js#L18 and the POC is as follow： var progressbar = require("progressbar.js") BAD_JSON = JSON.parse('{"proto":{"test":123}}'); console.log("Before"+{}.test) progressbar.utils.extend({},BAD_JSON,{}) console.log("After"+{}.test)

More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

[jdcoldsmith]

Github just published this vulnerability here: https://github.com/advisories/GHSA-89qm-hm2x-mxm3

[astagi]

cc @kimmobrunfeldt

[jadavey91]

Also being registered by Synk scan https://security.snyk.io/vuln/SNYK-JS-PROGRESSBARJS-3184152

[antoniobenci87]

progressbar.js è incluso in bootstrap italia 2.x , non riesco a passare i test di vulnerabilità news a riguardo?

[juburr]

Does the POC in the issue description work for anyone? I was going to take a stab at this issue, but I always get this result:

Before: undefined
After: undefined

[kimmobrunfeldt]

Fixed in release 1.1.1 by using lodash.merge instead of custom extend code. The code was written at a time when npm for frontend dependency management was still considered a new thing. There's also plenty other old code relics such as vendor prefixes in stylings. The build system is very old so to be able to even npm install I just removed all tests.