Description
A critical prototype pollution vulnerability (TP0002) has been identified in the @stdlib__utils-define-property package, specifically within the package/package/lib/polyfill.js file at line 95. This vulnerability allows an attacker to inject arbitrary properties into the global Object.prototype via direct property assignment, which can lead to widespread unintended modifications of object behavior across the application, potential data corruption, or bypass of security controls.
Related Issues
No response
Questions
Are there any existing mitigations or safeguards in the package that were intended to prevent direct writes to Object.prototype?
What is the timeline for a fix to address this prototype pollution vector?
Are there other code paths within the package that may expose similar prototype pollution risks?
Demo
No live demo is provided, as the vulnerability can be reproduced in a local Node.js/browser environment with the steps below.
Reproduction
a.Import the affected function from @stdlib__utils-define-property (specifically the polyfill at package/package/lib/polyfill.js).
b.Call the function with the following arguments:
First argument: Object.prototype (targeting the global prototype chain)
Second argument: An arbitrary key (e.g., 'polluted')
Third argument: A descriptor object with a controllable value (e.g., { value: true })
c.Execute the function call: lib(Object.prototype, "polluted", { value: true })
d.Check the Object.prototype for the injected polluted property.Expected Results
The function should prevent direct modification of Object.prototype and throw an error, or sanitize/validate the target object to ensure it is not the global prototype. No arbitrary properties should be added to Object.prototype.
Actual Results
The function executes the assignment Object.prototype[prop] = descriptor.value without validation, resulting in the polluted property being injected into Object.prototype. Verification output confirms:
[CASE_ID=TP0002] [VULN_BOTH] Direct polluted property on Object.prototype
Version
vulnerability identified in the @stdlib__utils-define-property package's polyfill implementation
Environments
Node.js
Browser Version
All modern browsers
Node.js / npm Version
v10+
Platform
macOS
Checklist
Description
A critical prototype pollution vulnerability (TP0002) has been identified in the @stdlib__utils-define-property package, specifically within the package/package/lib/polyfill.js file at line 95. This vulnerability allows an attacker to inject arbitrary properties into the global Object.prototype via direct property assignment, which can lead to widespread unintended modifications of object behavior across the application, potential data corruption, or bypass of security controls.
Related Issues
No response
Questions
Are there any existing mitigations or safeguards in the package that were intended to prevent direct writes to Object.prototype?
What is the timeline for a fix to address this prototype pollution vector?
Are there other code paths within the package that may expose similar prototype pollution risks?
Demo
No live demo is provided, as the vulnerability can be reproduced in a local Node.js/browser environment with the steps below.
Reproduction
Expected Results
Actual Results
Version
vulnerability identified in the @stdlib__utils-define-property package's polyfill implementation
Environments
Node.js
Browser Version
All modern browsers
Node.js / npm Version
v10+
Platform
macOS
Checklist