जमा करें #856979: Node.js Inputmask 5.0.9 Prototype Pollutionजानकारी

शीर्षकNode.js Inputmask 5.0.9 Prototype Pollution
विवरण`inputmask` exposes `extendDefaults()`, `extendDefinitions()`, and `extendAliases()` as public APIs. These methods call the internal deep merge helper with attacker-controlled keys. Passing an object containing `__proto__` to `extendDefaults()` can pollute `Object.prototype`. `extendDefaults()` forwards user-controlled data to the internal deep merge helper: ```js Inputmask.extendDefaults = function (options) { $.extend(true, Inputmask.prototype.defaults, options); }; ``` The merge helper in `lib/dependencyLibs/extend.js` iterates over source keys and writes them directly to the target: ```js for (name in options) { src = target[name]; copy = options[name]; if ( deep && copy && (Object.prototype.toString.call(copy) === "[object Object]" || (copyIsArray = Array.isArray(copy))) ) { clone = src && Object.prototype.toString.call(src) === "[object Object]" ? src : {}; target[name] = extend(deep, clone, copy); } else if (copy !== undefined) { target[name] = copy; } } ``` When `name` is `__proto__`, `target[name]` resolves through the prototype accessor instead of being treated as a normal own property. During deep merge, the nested object is then merged into the prototype object, which allows assignments such as: ```js Object.prototype.polluted = "yes"; ``` The same merge helper is also used by `extendDefinitions()`, `extendAliases()`, and multiple option-merging paths, so the fix should be applied in the shared merge logic rather than only in `extendDefaults()`.
स्रोत⚠️ https://github.com/RobinHerbots/Inputmask/issues/2885
उपयोगकर्ता
 wjm1 (UID 98929)
सबमिशन12/06/2026 02:09 PM (1 महीना पहले)
संयम17/07/2026 09:01 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि379909 [RobinHerbots Inputmask तक 5.0.9 Internal Deep Merge Helper extend.js extendDefaults/extendDefinitions/extendAliases अधिकार वृद्धि]
अंक20

Interested in the pricing of exploits?

See the underground prices here!