Security News > 2022 > July > Node.js prototype pollution is bad for your app environment

Prototype pollution is one of the most common security vulnerabilities found in JavaScript code.

The authors emphasize that it's not necessarily easy or possible to successfully carry out a prototype pollution attack where suitable gadgets exist in application code.

While these figures represent an upper bound on the actual prevalence of exploitable gadgets - because of other complicating factors - they argue more attention needs to be given to guarding against prototype pollution in the JavaScript ecosystem.

"We emphasize once again how dangerous the identified gadgets are," they say, observing that many applications are likely to meet the preconditions for remote code execution if prototype pollution is possible.

"...[C]onsidering the power of these gadgets and their widely-available triggers, prototype pollution should be considered a critical security vulnerability in the current Node.js landscape."

"I was impressed that the authors were able to find three confirmed exploitable cases of prototype pollution, which is a nice change from the usual noise we get from CVE reports about prototype pollution, most of which are not actually exploitable. This research shows that prototype pollution is not just a theoretical risk." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/25/nodejs_prototype_pollution/