Home » Cybersecurity » Threats & Breaches » Vulnerabilities » From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

The NodeJS component express-fileupload – touting 7 million downloads from the npm registry –  now has a critical Prototype Pollution vulnerability.

At a minimum, this vulnerability lets attackers toy with your NodeJS applications and cause a series of HTTP 500 errors (i.e., Denial of Service (DoS)). More advanced exploits target the template-altering capabilities of the flaw, enabling hackers to execute remote code on a vulnerable machine.

The NodeJS component “express-fileupload” is a rather popular choice among developers because it provides a variety of file upload options, and can be easily integrated into your application. If you are relying on a vulnerable “express-fileupload” version for file upload functionality, you should be aware of the security risks it can cause.

The vulnerability (CVE-2020-7699) was discovered by security researcher Posix at the end of July, where he provided more details in this blog post.   

Why Prototype Pollution vulnerabilities matter?

Prototype Pollution vulnerabilities are interesting due to their versatility for the attacker. Imagine being able to alter every single object and property of a JavaScript application because of nothing but an inherent “design flaw” in the language. 

We previously explained what Prototype Pollution is, and how it impacts the popular “lodash” component in a previous Nexus Intelligence Insight. Recall from that post that JavaScript is a prototyping language, and the ability to modify the basic template that all objects and properties build-upon, is an intended feature of the language. 

Previously, Prototype Pollution vulnerabilities in JavaScript code used in a client-side context have posed security issues. But, their exploitation has typically ended in the user’s browser crashing, or an app misbehaving on the client-side, meaning the impact was contained.

But ever since the advent of “serverless” architecture and NodeJS-powered apps, the same language (Read more...)