<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Scim-Patch &lt;= 0.9.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/scim-patch--0.9.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:02:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/scim-patch--0.9.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>scimPatch vulnerable to prototype pollution via unfiltered keys in patch</title><link>https://feed.craftedsignal.io/briefs/2026-07-scimpatch-prototype-pollution/</link><pubDate>Fri, 03 Jul 2026 11:02:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-scimpatch-prototype-pollution/</guid><description>The `scim-patch` Node.js library, versions up to and including 0.9.0, is critically vulnerable to prototype pollution (CVE-2026-48170) when processing SCIM PATCH operations, allowing an attacker to modify `Object.prototype` process-wide through crafted `__proto__` keys in the request body, leading to potential privilege escalation or denial of service.</description><content:encoded><![CDATA[<p>The <code>scim-patch</code> Node.js library, versions up to and including 0.9.0, is affected by a critical prototype pollution vulnerability, CVE-2026-48170. This flaw allows an unauthenticated or low-privileged attacker to achieve process-wide impact by sending a specially crafted SCIM PATCH request. The delivery mechanism involves a normal SCIM <code>PATCH /Users/:id</code> request body where the <code>value</code> object contains a key structured as <code>__proto__.someProp</code>. When the <code>scimPatch()</code> function processes this input, it inadvertently modifies <code>Object.prototype</code> in the Node.js runtime. This mutation affects every plain object within the running process, creating a persistent state until the process restarts. For defenders, this is critical because it can lead to severe consequences such as privilege escalation if authentication logic relies on checking properties of otherwise clean objects (e.g., <code>req.user.isAdmin</code>), or denial of service through logic bypasses, impacting the availability and integrity of services using <code>scim-patch</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious SCIM PATCH request targeting a vulnerable endpoint, for example, <code>PATCH /Users/:id</code>.</li>
<li>The request body contains a JSON array with an &quot;add&quot; or &quot;replace&quot; operation, where the <code>value</code> object includes a key structured as <code>__proto__.polluted</code> or <code>__proto__.isAdmin</code>.</li>
<li>The vulnerable Node.js application, using the <code>scim-patch</code> library, receives and processes this request via the <code>scimPatch()</code> function.</li>
<li>Inside <code>scimPatch()</code>, the <code>addOrReplaceObjectAttribute</code> function iterates over the user-supplied <code>patch.value</code> and feeds the dangerous key (<code>__proto__.polluted</code>) to <code>resolvePaths</code>.</li>
<li>The <code>assign</code> helper function then walks the <code>keyPath</code> which includes <code>__proto__</code>, and <code>obj</code> is reassigned to <code>Object.prototype</code> when <code>obj = obj[&quot;__proto__&quot;]</code> is executed.</li>
<li>Subsequently, the <code>value</code> from the malicious patch (e.g., <code>'yes'</code> or <code>true</code>) is assigned to <code>Object.prototype.polluted</code> or <code>Object.prototype.isAdmin</code>, effectively polluting the global <code>Object.prototype</code>.</li>
<li>This global prototype modification persists until the Node.js process is restarted, affecting all subsequent operations and new objects within that process.</li>
<li>This leads to impacts such as privilege escalation if downstream code checks for properties like <code>isAdmin</code> on affected objects, or denial of service through logic bypasses.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-48170 is process-wide, affecting any Node.js service utilizing the <code>scim-patch</code> library for SCIM operations. This could include identity management systems, user provisioning services, and enterprise applications that integrate with external Identity Providers (IdPs). If exploited, this prototype pollution can lead to severe consequences such as privilege escalation, enabling attackers to bypass authentication or authorization checks if affected code relies on checking properties of otherwise clean objects (e.g., <code>req.user.isAdmin</code>). It can also cause denial of service through logic bypasses if critical application logic branches on object properties, leading to unpredictable behavior or crashes. The modification to <code>Object.prototype</code> persists until the Node.js process is restarted, affecting every request handled by the compromised container after pollution, making detection and recovery challenging.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>npm/scim-patch</code> library to a version beyond <code>0.9.0</code> (which includes the fix for CVE-2026-48170) immediately.</li>
<li>Implement <code>Object.freeze(Object.prototype)</code> at the Node.js process startup to mitigate CVE-2026-48170, as described in the brief's &quot;Mitigation&quot; section.</li>
<li>Utilize the Node.js <code>--frozen-intrinsics</code> flag during process startup to automatically protect built-in objects from prototype pollution, which helps mitigate CVE-2026-48170.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>prototype-pollution</category><category>cve</category><category>node.js</category><category>scim</category><category>critical-vulnerability</category></item></channel></rss>