| 标题 | Node.js Inputmask 5.0.9 Prototype Pollution |
|---|
| 描述 | `inputmask` exposes `extendDefaults()`, `extendDefinitions()`, and `extendAliases()` as public APIs. These methods call the internal deep merge helper with attacker-controlled keys. Passing an object containing `__proto__` to `extendDefaults()` can pollute `Object.prototype`.
`extendDefaults()` forwards user-controlled data to the internal deep merge helper:
```js
Inputmask.extendDefaults = function (options) {
$.extend(true, Inputmask.prototype.defaults, options);
};
```
The merge helper in `lib/dependencyLibs/extend.js` iterates over source keys and writes them directly to the target:
```js
for (name in options) {
src = target[name];
copy = options[name];
if (
deep &&
copy &&
(Object.prototype.toString.call(copy) === "[object Object]" ||
(copyIsArray = Array.isArray(copy)))
) {
clone =
src && Object.prototype.toString.call(src) === "[object Object]"
? src
: {};
target[name] = extend(deep, clone, copy);
} else if (copy !== undefined) {
target[name] = copy;
}
}
```
When `name` is `__proto__`, `target[name]` resolves through the prototype accessor instead of being treated as a normal own property. During deep merge, the nested object is then merged into the prototype object, which allows assignments such as:
```js
Object.prototype.polluted = "yes";
```
The same merge helper is also used by `extendDefinitions()`, `extendAliases()`, and multiple option-merging paths, so the fix should be applied in the shared merge logic rather than only in `extendDefaults()`. |
|---|
| 来源 | ⚠️ https://github.com/RobinHerbots/Inputmask/issues/2885 |
|---|
| 用户 | wjm1 (UID 98929) |
|---|
| 提交 | 2026-06-12 14時09分 (1 月前) |
|---|
| 管理 | 2026-07-17 21時01分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 379909 [RobinHerbots Inputmask 直到 5.0.9 Internal Deep Merge Helper extend.js extendDefaults/extendDefinitions/extendAliases 权限提升] |
|---|
| 积分 | 20 |
|---|