CVE-2023-45811
Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
Description
### Impact A `__proto__` pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. ### Summary A `__proto__` pollution vulnerability exists in the [LiteralMap] transformer allowing crafted input to modify properties in the Object prototype. When executing in Node.js, due to use of the `prettier` module, defining a `parser` property on `__proto__` with a path to a JS module on disk [causes a `require` of the value][prettier/src/main/parser.js] which can lead to arbitrary code execution. ### Patch A fix has been released in `[email protected]`. ### Mitigation - Upgrade synchrony to v2.4.4 - Launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flag ### Proof of Concept Craft a malicious input file named `poc.js` as follows: ```js // Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console. console.log(require('child_process').execSync('dir').toString()) // Synchrony exploit PoC { var __proto__ = { parser: 'poc.js' } } ``` Then, run `synchrony poc.js` from the same directory as the malicious file. ### Credits This vulnerability was found and disclosed by [William Khem-Marquez][SteakEnthusiast]. [LiteralMap]: src/transformers/literalmap.ts [SteakEnthusiast]: https://github.com/SteakEnthusiast [disable-proto]: https://nodejs.dev/en/api/v20/cli/#--disable-protomode [prettier/src/main/parser.js]: https://github.com/prettier/prettier/blob/2.5.1/src/main/parser.js#L53-L63
How to fix CVE-2023-45811
To remediate CVE-2023-45811, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.4 or later
Is CVE-2023-45811 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.0.1, < 2.4.4