Attack Chain

1. The application receives untrusted data from an external source (e.g., HTTP request, WebSocket message, config file).
2. The untrusted data is parsed as a JSON object.
3. The attacker crafts the JSON object to include a __proto__ property with a malicious payload as its value. For example: {"__proto__": {"isAdmin": true}}.
4. The deepMerge() function is called with a target object and the attacker-controlled JSON object as the source.
5. Due to the missing sanitization, the __proto__ property in the source object overwrites the Object.prototype with the malicious payload.
6. Subsequently, all objects in the Node.js runtime inherit the injected properties (e.g., isAdmin: true).
7. The attacker leverages the polluted Object.prototype to bypass application logic or escalate privileges.
8. The application’s behavior is altered, potentially leading to data breaches, unauthorized access, or other security impacts.

Impact

Applications using vulnerable versions of @theecryptochad/merge-guard and passing unsanitized user-supplied data to the deepMerge() function are at risk. An attacker can inject arbitrary properties onto Object.prototype, leading to privilege escalation and application logic bypass. The number of affected applications is currently unknown, but the risk is significant for applications that process untrusted input. A successful attack allows the attacker to modify the behavior of the entire Node.js application.

Recommendation

• Upgrade to @theecryptochad/merge-guard >= 1.0.1 to remediate the vulnerability. This version adds a blocklist to prevent modification of __proto__, constructor, and prototype properties (see Remediation section in Content).
• Deploy the Sigma rule “Detect Prototype Pollution via deepMerge” to detect attempts to exploit this vulnerability via HTTP requests containing __proto__ keys (see Rules).
• Sanitize all user-supplied data before passing it to deepMerge() to prevent the injection of malicious properties.