logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-32866 @conform-to/zod

Package

Manager: npm
Name: @conform-to/zod
Vulnerable Version: >=1.0.0 <1.1.1 || >=0 <0.9.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00136 pctl0.34202

Details

Conform contains a Prototype Pollution Vulnerability in `parseWith...` function ### Summary Conform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to `parseWith...` functions. ### PoC ```javascript const { parseWithZod } = require('@conform-to/zod'); const { z } = require("zod"); const param = new URLSearchParams("__proto__.pollution=polluted"); const schema = z.object({ "a": z.string() }); parseWithZod(param, { schema }); console.log("pollution:", ({}).pollution); // should print "polluted" ``` ### Details The invocation of the `parseWithZod` function in the above PoC triggers the `setValue` function through `getSubmissionContext` and `parse`, executing the following process, resulting in prototype pollution: ```javascript let pointer = value; pointer.__proto__ = pointer.__proto__; pointer = pointer.__proto__; pointer.polluted = "polluted"; ``` This is caused by the lack of object existence checking on [line 117 in formdata.ts](https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117), where the code only checks for the presence of `pointer[key]` without proper validation. ### Impact Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Metadata

Created: 2024-04-23T21:15:55Z
Modified: 2024-06-10T20:12:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-624g-8qjg-8qxf/GHSA-624g-8qjg-8qxf.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-624g-8qjg-8qxf
Finding: F390
Auto approve: 1