Shulou(Shulou.com)06/01 Report--

This article shows you what kind of vulnerabilities exist in the node-forge JavaScript library, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

A security vulnerability (CVE-2020-7720) exists in a legacy function of the popular node-forge JavaScript library, which can be exploited by attackers to perform prototype contamination attacks on applications.

Node-forge, which is used by more than 3.5 million repositories, implements a variety of encryption utilities, the TLS protocol, and tools for developing web applications.

Prototype contamination is a serious vulnerability that can be exploited by an attacker to tamper with the application's behavior by modifying the application's code at run time.

This is usually performed through malicious input, depending on fragile components, which can lead to a series of attacks, including a denial of service or even remote code execution.

The flaw lies in the util.setPath () function in node-forge, which has existed since earlier versions of the library and before the library began to focus on encryption.

According to node-forge 's update log, util.setPath has a potential prototype contamination security vulnerability when using unsafe input. SetPath is a generic function that allows developers to modify the properties of an object by passing a text string.

The vulnerability was first reported to the security company Snyk, which disclosed the vulnerability after node-forge maintainers released a patch.

Snyk gave the vulnerability an ultra-critical score of 9.8, while NVD gave the vulnerability a score of 7.3. The PoC posted on the Snyk website shows that setPath can be used to contaminate the _ _ prototype__ property of the underlying object, causing the application to be modified.

The Node-forge update log says, "Forge itself does not use these functions. They can be traced back to earlier times, when forge directed to provide general helper functionality."

David Lehn, a maintainer for Node-forge, said, "We've never seen anyone use this function, including forge itself, let alone use it."

Along with other related functions, setPath has been removed from the latest version of node-forge.

Node-forge maintainers recommend using other libraries with similar property setting capabilities, such as lodash, but warn that there may be prototype contamination vulnerabilities in these libraries.

"lodash set () is similar to setPath () (also a good supported alternative to setPath). I think others have written similar object-path-setting code. It is very useful when used correctly." Lehn said, but added that if the input was not filtered, any code that provided the feature could contain similar security vulnerabilities.

The above is what the vulnerabilities in the node-forge JavaScript library are. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.