All versions of unflatten are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
function unflatten (obj, opts) {
var separator = '.'
var objectMode = false
if (typeof opts === 'string') {
separator = opts
} else if (typeof opts === 'boolean') {
objectMode = opts
} else if (opts) {
separator = opts.separator || separator
objectMode = opts.objectMode
}
const dotSep = (separator === '.')
var re = new RegExp(separator, 'g')
var newObj = {}
for (let path in obj) {
if (/__proto__/.test(path) === true) {
break;
}
if (objectMode) {
_setWith(newObj, dotSep ? path : path.replace(re, '.'), obj[path], Object)
} else {
_set(newObj, dotSep ? path : path.replace(re, '.'), obj[path])
}
}
return newObj
}
Description
All versions of unflatten are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Proof of Concept
Impact
This vulnerability would allow an attacker to access sensitive information and could potentially lead to Remote Code Execution.
Proof of Fix