CVE-2022-31106 – The function deepFromFlat of underscore[.]deep is vulnerable to prototype pollution (28th June 2022)

Preface: When defining mappings, it will configure the fields that contain an array of objects within them as “object” type. This is fine in many cases, but sometimes the mappings will need to be adjusted.
Nested is a special type of object that is indexed as a separate document, and a reference to each of these inner documents is stored with the containing document, so we can query the data accordingly.

Background: The basic definition of an object in JavaScript is a container for named values called properties (keys). Sometimes, we need to create an object inside another object. In this case, it’s called a nested object.Nested objects are objects that are inside another object.Underscore.deep is a collection of Underscore mixins that operate on nested objects. Dealing with nested objects often we’ll be needing to access the innermost nested values safely.

Vulnerability details: Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of underscore.deep prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to deepFromFlat, which would pollute any future Objects created. Any users that have deepFromFlat or deepPick (due to its dependency on deepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible.

Workarounds: Is there a way for users to fix or remediate the vulnerability without upgrading? Modifying deepFromFlat to prevent specific keywords will prevent this from happening. For details, please refer to link – https://github.com/clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7

Remedy: Users should upgrade to 0.5.3.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.