· vulnerabilities · 4 min read
Prototype Pollution Vulnerability in JSON5 Library: What You Need to Know
Learn about the prototype pollution vulnerability found in versions of the JSON5 library before and including version 2.2.1 and the potential impacts on applications that utilize the returned object. Find out how to mitigate this vulnerability by upgrading to the latest version of the library and implementing proper security measures.
Introduction
Security vulnerabilities in popular libraries can have serious consequences for the applications that rely on them. Recently, a vulnerability was discovered in the JSON5 library, a popular JavaScript library used for parsing and stringifying JSON data. This vulnerability, known as prototype pollution, allows attackers to set arbitrary keys on the prototype of the resulting object, which can have significant security implications. In this blog, we’ll explore the details of this vulnerability, its potential impact on applications, and how to mitigate it.
Table of Contents
- Introduction
- Details of the Prototype Pollution Vulnerability in JSON5 Library
- Conclusion
- References and Extra Resources
Details of the Prototype Pollution Vulnerability in JSON5 Library
The prototype pollution vulnerability in the JSON5 library was found in versions of the library before and including version 2.2.1. It allows attackers to set the __proto__
key to a malicious keys containing object, which will then be set on the prototype of the returned object.
Moreover, this vulnerability is different from the commonly understood definition of prototype pollution, which refers to polluting the global Object prototype. However, if the object is later used in trusted operations, polluting the prototype of a single object can still have significant security impact for an application.
How the Prototype Pollution Vulnerability Works in the JSON5 Library
To show the impact of this vulnerability, the JSON5 team provides the following example: a developer wants to allow users and admins to perform some risky operation while restricting non-admins. To accomplish this, they 1) accept a JSON blob from the user, 2) parse it using JSON5.parse
, 3) confirm that the provided data does not set some sensitive keys, and then 4) perform the risky operation using the validated data. However, an attacker could attempt to bypass the security check by setting the __proto__
key to {"isAdmin": true}
. JSON5
will parse this key and set the isAdmin
key on the prototype of the returned object, allowing the attacker to run their request as an admin. This could lead to elevation of privilege and potentially allow the attacker to access sensitive data or perform malicious actions.
Typical Prototype Pollution Attempt
const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props);
} else {
throw new Error('Forbidden...'); // Error: Forbidden...
}
JSON5 Prototype Pollution Vulnerability using __proto__
key
const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
throw new Error('Forbidden...');
}
The actual impact of this vulnerability will depend on how applications utilize the returned object and how they filter unwanted keys. It could include denial of service, cross-site scripting, elevation of privilege, or in extreme cases, remote code execution. It is important for developers to be aware of this vulnerability and take steps to mitigate it.
Mitigating the Prototype Pollution Vulnerability in JSON5 Library
To mitigate the prototype pollution vulnerability in the JSON5 library, it is recommended to upgrade to the latest version of the library (version 2.2.2 or later). This version of the library has patched the vulnerability and is safe to use.
In addition to upgrading to a safe version of the library, developers should also properly filter unwanted keys and perform thorough security checks on data coming from untrusted sources. By implementing these measures, developers can protect their applications from the potential impacts of this vulnerability.
Furthermore, it is important to stay up to date on the latest patches and vulnerabilities for all libraries and frameworks used in an application. By doing so, developers can ensure that their applications are as secure as possible and protected against potential threats.
Conclusion
In conclusion, the prototype pollution vulnerability in the JSON5 library can have significant security implications for applications that utilize the returned object. By polluting the prototype of the object, attackers can bypass security checks and potentially gain access to sensitive data or perform malicious actions.
To shield your application from this vulnerability, it is important to upgrade to the latest version of the JSON5 library (version 2.2.2 or later). In addition, developers should ensure that they properly filter unwanted keys and perform thorough security checks on data coming from untrusted sources. By taking these steps, developers can mitigate the potential impacts of this vulnerability and keep their applications secure.