hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Overview
This package has 1 confirmed prototype pollution vulnerability and no code execution vulnerabilities. It involves 1 unique pollution sink with the sink type of DYNAMIC_PROP_WRITE, which causes local prototype pollution.
Detailed Vulnerability Information
Vulnerability ID: TP0001
Vulnerability Type: Prototype Pollution, Sink Type: DYNAMIC_PROP_WRITE
Vulnerable Code Location: package/package/lib/CoreExperiment.js:33
Root Cause: The CoreExperiment component iterates over child Variant components and assigns the components to the internal variants object with element.props.name as the dynamic key. When the name attribute is controlled by an attacker and set to proto, executing variants['proto'] = element pollutes the Object prototype directly.
POC
// Payload
__proto__
// Call Sequence
const React = require('react');
const CoreExperiment = require('@quernest/react-ab-test/lib/CoreExperiment');
const Variant = require('@quernest/react-ab-test/lib/Variant');
const maliciousVariant = React.createElement(Variant, {name: '__proto__', key: '1'}, 'content');
const app = React.createElement(CoreExperiment, {name: 'test'}, maliciousVariant);Verification Result: [CASE_ID=TP0001] [VULN_LOCAL] Prototype pollution via Variant name prop set to proto
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Overview
This package has 1 confirmed prototype pollution vulnerability and no code execution vulnerabilities. It involves 1 unique pollution sink with the sink type of DYNAMIC_PROP_WRITE, which causes local prototype pollution.
Detailed Vulnerability Information
Vulnerability ID: TP0001
Vulnerability Type: Prototype Pollution, Sink Type: DYNAMIC_PROP_WRITE
Vulnerable Code Location: package/package/lib/CoreExperiment.js:33
Root Cause: The CoreExperiment component iterates over child Variant components and assigns the components to the internal variants object with element.props.name as the dynamic key. When the name attribute is controlled by an attacker and set to proto, executing variants['proto'] = element pollutes the Object prototype directly.
POC
Verification Result: [CASE_ID=TP0001] [VULN_LOCAL] Prototype pollution via Variant name prop set to proto