Prototype Pollution

[msrkp]

I'm submitting a bug report

parseQueryString of aurelia path is vulnerable to prototype pollution.

POC
aurelia blog is using parseQueryString to parse location.search, so it is vulnerable to prototype pollution

1. Open the following URL: https://aurelia.io/blog/?__proto__[asdf]=asdf
2. Open Devtools Console, and check the Object.prototype
3. You can notice Object being polluted with the "asdf" property.

[bigopon]

@msrkp thanks for the issue. Will be fixed soon.

[tylerdotson]

Is there an update on when this will be fixed?

[bigopon]

Fixed in my local, doing some cleanup and deps upgrade. Will get this in soon

[tylerdotson]

Thank you, @bigopon! Your hard work is greatly appreciated! Do you know when the next release will be?

[bigopon]

@tylerdotson probably in a few days. I'll work with @EisenbergEffect to do a release for this.

[msrkp]

@bigopon the fix can be bypassed with
__proto__=x&0[xxx]=xxx

[bigopon]

@msrkp thanks for catching that! It's fixed in the latest commit.

[msrkp]

Hi @bigopon,
Is it possible to get Github security advisory or CVE for this bug?

[bigopon]

Hi @msrkp, the advisory has been created GHSA-3c9c-2p65-qvwv
I'm not familiar with the process, can you help check if there's something missing?

[msrkp]

Hi @bigopon ,

Awesome, thanks.
By the way, I read in GitHub docs you can request for CVE, can you please do that?

If you don't already have a CVE identification number for the security vulnerability in your project, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours. Requesting a CVE identification number doesn't make your security advisory public. If your security advisory is eligible for a CVE, GitHub will reserve a CVE identification number for your advisory. We'll then publish the CVE details after you publish the security advisory.

More details are available here https://docs.github.com/en/code-security/security-advisories/publishing-a-security-advisory

Thanks and Regards,
s1r1us

[bigopon]

That is also done. I wasn't sure whether it's needed after creating the advisory. Thanks for the reply.

[mukundbhuva]

Hello,

It is still not fix in live host
Browser: firefox
POC : https://aurelia.io/blog/404/?__proto__[test]=test

[bigopon]

Thanks @mukundbhuva . The site code needs to be rebuilt. Will do so.