Gửi #755221: higuma web-audio-recorder-js Latest (0.1.1) Prototype Pollutionthông tin

tiêu đề	higuma web-audio-recorder-js Latest (0.1.1) Prototype Pollution
Mô tả	The library's internal extend() function doesn't sanitize dangerous property names like __proto__, constructor, or prototype when merging configuration objects. If an application passes unsanitized user input (e.g., from URL params, JSON APIs, or form data) to the WebAudioRecorder constructor's configs parameter, an attacker can pollute Object.prototype globally. Found this during a client engagement - the code pattern is definitely vulnerable, but real-world exploitability depends on whether apps actually pass user input to the constructor. Most implementations probably use hardcoded configs, which would make this unexploitable. PoC (if user input reaches configs): ``` var mockNode = { context: { createGain: () => ({ connect: () => {} }), createScriptProcessor: () => ({ connect: () => {} }), sampleRate: 44100 }, connect: function(){} }; var payload = JSON.parse('{"__proto__": {"__proto__": {"polluted": "Success!"}}}'); // "Success!" new WebAudioRecorder(mockNode, payload); console.log("Check:", {}.polluted); //Success! // Tested PoC from client assessment ``` Haven't done extensive testing. Just spotted it in the wild and figured it's worth documenting. The Vulnerable Code Lines 3 to 13 define the extend function: ``` var extend = function() { var target = arguments[0], sources = [].slice.call(arguments, 1); for (var i = 0; i < sources.length; ++i) { var src = sources[i]; for (key in src) { var val = src[key]; target[key] = typeof val === "object" ? extend(typeof target[key] === "object" ? target[key] : {}, val) : val; } ``` Low exploitability based on my analysis. Most implementations use hardcoded configs. Only vulnerable if developers build the config object from user input (e.g., letting users customize audio settings via forms/API) without validation. Unlikely but technically possible.
Nguồn	⚠️ https://github.com/higuma/web-audio-recorder-js/blob/master/lib/WebAudioRecorder.js#L3-L15
Người dùng	MatanS (UID 86894)
Đệ trình	10/02/2026 09:07 (cách đây 2 các tháng)
Kiểm duyệt	22/02/2026 08:26 (12 days later)
Trạng thái	được chấp nhận
Mục VulDB	347331 [higuma web-audio-recorder-js 0.1/0.1.1 Dynamic Config Handling lib/WebAudioRecorder.js extend nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!