Submit #856979: Node.js Inputmask 5.0.9 Prototype Pollutioninfo

TitelNode.js Inputmask 5.0.9 Prototype Pollution
Beschreibung`inputmask` exposes `extendDefaults()`, `extendDefinitions()`, and `extendAliases()` as public APIs. These methods call the internal deep merge helper with attacker-controlled keys. Passing an object containing `__proto__` to `extendDefaults()` can pollute `Object.prototype`. `extendDefaults()` forwards user-controlled data to the internal deep merge helper: ```js Inputmask.extendDefaults = function (options) { $.extend(true, Inputmask.prototype.defaults, options); }; ``` The merge helper in `lib/dependencyLibs/extend.js` iterates over source keys and writes them directly to the target: ```js for (name in options) { src = target[name]; copy = options[name]; if ( deep && copy && (Object.prototype.toString.call(copy) === "[object Object]" || (copyIsArray = Array.isArray(copy))) ) { clone = src && Object.prototype.toString.call(src) === "[object Object]" ? src : {}; target[name] = extend(deep, clone, copy); } else if (copy !== undefined) { target[name] = copy; } } ``` When `name` is `__proto__`, `target[name]` resolves through the prototype accessor instead of being treated as a normal own property. During deep merge, the nested object is then merged into the prototype object, which allows assignments such as: ```js Object.prototype.polluted = "yes"; ``` The same merge helper is also used by `extendDefinitions()`, `extendAliases()`, and multiple option-merging paths, so the fix should be applied in the shared merge logic rather than only in `extendDefaults()`.
Quelle⚠️ https://github.com/RobinHerbots/Inputmask/issues/2885
Benutzer
 wjm1 (UID 98929)
Einreichung12.06.2026 14:09 (vor 1 Monat)
Moderieren17.07.2026 21:01 (1 month later)
StatusAkzeptiert
VulDB Eintrag379909 [RobinHerbots Inputmask bis 5.0.9 Internal Deep Merge Helper extend.js extendDefaults/extendDefinitions/extendAliases erweiterte Rechte]
Punkte20

Do you need the next level of professionalism?

Upgrade your account now!