You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Dec 17, 2025. It is now read-only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi Team,
Is this really a vulnerability as I was not able to really exploit it? Below is the POC code. I was not able to pollute the Prototype property of other objects.
const parser = require("./parseQuery.js")
let result = parser.parseQuery('?{a:"1",__proto__:{"isPolluted":true}}')
let result2 = parser.parseQuery('?{b:"3"}')
console.log(result)
console.log(result.isPolluted) // True (The prototype of result has a new property isPolluted defined)
console.log(result2.isPolluted) // Undefined (It should return true if the Prototype vulnerability exists )
Hello,
I ran into this cve/issue from work and decided to look into it as I see that many packages depend on this and was considered a CRITICAL. I agree with the comment from @dingjiedanielyang-sec saying that there was no vulnerability in the first place, because every time parseQuery runs it is creating a NEW empty/null object and populating it according to the provided string , i.e. you can't pollute something that has "nothing" in the first place. The "fix" pretty much did nothing. This maybe will have being a different story if it started with some other non-null object.
What could be a security concern is how this new object will be handled, as you can technically create one with arbitrary properties that could be malicious. However this will be up to the applications/other-packages using this as a dependency to properly "sanitize" the query/string provided and object.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2022-37601
Resolves:
#212