제출 #856979: Node.js Inputmask 5.0.9 Prototype Pollution정보

제목Node.js Inputmask 5.0.9 Prototype Pollution
설명`inputmask` exposes `extendDefaults()`, `extendDefinitions()`, and `extendAliases()` as public APIs. These methods call the internal deep merge helper with attacker-controlled keys. Passing an object containing `__proto__` to `extendDefaults()` can pollute `Object.prototype`. `extendDefaults()` forwards user-controlled data to the internal deep merge helper: ```js Inputmask.extendDefaults = function (options) { $.extend(true, Inputmask.prototype.defaults, options); }; ``` The merge helper in `lib/dependencyLibs/extend.js` iterates over source keys and writes them directly to the target: ```js for (name in options) { src = target[name]; copy = options[name]; if ( deep && copy && (Object.prototype.toString.call(copy) === "[object Object]" || (copyIsArray = Array.isArray(copy))) ) { clone = src && Object.prototype.toString.call(src) === "[object Object]" ? src : {}; target[name] = extend(deep, clone, copy); } else if (copy !== undefined) { target[name] = copy; } } ``` When `name` is `__proto__`, `target[name]` resolves through the prototype accessor instead of being treated as a normal own property. During deep merge, the nested object is then merged into the prototype object, which allows assignments such as: ```js Object.prototype.polluted = "yes"; ``` The same merge helper is also used by `extendDefinitions()`, `extendAliases()`, and multiple option-merging paths, so the fix should be applied in the shared merge logic rather than only in `extendDefaults()`.
원천⚠️ https://github.com/RobinHerbots/Inputmask/issues/2885
사용자
 wjm1 (UID 98929)
제출2026. 06. 12. PM 02:09 (1 월 ago)
모더레이션2026. 07. 17. PM 09:01 (1 month later)
상태수락
VulDB 항목379909 [RobinHerbots Inputmask 까지 5.0.9 Internal Deep Merge Helper extend.js extendDefaults/extendDefinitions/extendAliases 권한 상승]
포인트들20

Interested in the pricing of exploits?

See the underground prices here!