提出 #855024: Node.js primereact 10.9.8 Prototype Pollution情報

タイトルNode.js primereact 10.9.8 Prototype Pollution
説明PrimeReact exposes a utility entry point through `primereact/utils`, and that entry point includes `ObjectUtils.mutateFieldData(data, field, value)`. This helper appears to be intended for updating nested object fields by accepting a dot-separated field path, splitting it into path segments, walking the object, and assigning the supplied value at the final segment. The issue is that the path-walking logic treats every segment as a normal property name. If the caller supplies a field path such as `__proto__.polluted`, JavaScript does not treat `__proto__` like a regular own property on a plain object. Instead, reading that segment can resolve to the object's prototype. The subsequent assignment then writes the attacker-controlled property onto `Object.prototype`. As a result, a call that appears to mutate only the provided local object can modify the global object prototype. After this happens, newly created objects may inherit the injected property. This is the classic prototype pollution pattern and can become security-relevant when application logic later checks object properties for authorization, feature flags, configuration, validation state, or other control-flow decisions. The vulnerable behavior is reachable through a public package subpath (`primereact/utils`) and a declared utility API. The PoC below demonstrates the issue without relying on private internals or a browser environment.
ソース⚠️ https://github.com/primefaces/primereact/issues/8553
ユーザー
 Dremig (UID 95003)
送信2026年06月10日 13:23 (1 月 ago)
モデレーション2026年07月12日 20:03 (1 month later)
ステータス承諾済み
VulDBエントリ377888 [primefaces primereact 迄 10.9.8 API ObjectUtils.mutateFieldData フィールド 特権昇格]
ポイント20

Might our Artificial Intelligence support you?

Check our Alexa App!