logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-m56h-5xx3-2jc2 jsii

Package

Manager: npm
Name: jsii
Vulnerable Version: >=5.7.0 <5.7.3 || >=5.6.0 <5.6.4 || >=5.5.0 <5.5.15 || >=5.4.0 <5.4.46

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Prototype pollution in jsii.configureCategories ## Summary `jsii` is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library. When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot occur. ## Impact You may be impacted if you have written an application that loads jsii as a library, and passes untrusted user input into the `jsii.configureCategories()` function. In that case, a user can craft input in such a way that, following the invocation, a field named "category" with a user-controlled value is added to the JavaScript Object prototype. This will cause every object in the program (both new and existing) to have a field named "category", even if it shouldn't. **This will not affect jsii itself, but it might affect the application you have loaded jsii into.** > The function `jsii.configureCategories()` is used to configure the severity (error, warning, etc.) of various jsii diagnostics. **Impacted versions: <=5.7.2, <=5.6.3, <=5.5.14, <=5.4.45** **Example:** ```js const jsii = require('jsii'); // prints 'undefined' console.log(JSON.stringify({}.category)) // calling 'configureCategories' with user input jsii.configureCategories(JSON.parse('{"__proto__": "user-input"}')) // from this point onwards, every single object literal in the program // will contain the 'category' key, with user controlled value console.log(JSON.stringify({}.category)) // prints 'user-input' // this can affect the execution of the main program in case it also makes // use of an object key called 'category'. for example, if the main programs // happens to have code like this: const x = {} // some object in the main program (not necessarily empty) if (x.category) { // this block will always be executed, effectively // changing the behavior of the main program. console.log('Do something') } else { console.log('Do something else') } ``` For more information about javascript prototype pollution, see [1]. ## Patches A patch is included in versions [5.7.3](https://github.com/aws/jsii-compiler/releases/tag/v5.7.3), [5.6.4](https://github.com/aws/jsii-compiler/releases/tag/v5.6.4), [5.5.15](https://github.com/aws/jsii-compiler/releases/tag/v5.5.15), [5.4.46](https://github.com/aws/jsii-compiler/releases/tag/v5.4.46) ## Workarounds Sanitize user input to configureCategories() by stripping the __proto__ property if detected. ## References If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our issue reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] https://learn.snyk.io/lesson/prototype-pollution/ [2] [https://aws.amazon.com/security/issue-reporting](https://aws.amazon.com/security/vulnerability-reporting) ## Credits We would like to thank _Tariq Hawis_ for collaborating on this issue through the coordinated vulnerability disclosure process.

Metadata

Created: 2024-12-18T15:50:09Z
Modified: 2025-01-07T15:12:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-m56h-5xx3-2jc2/GHSA-m56h-5xx3-2jc2.json
CWE IDs: ["CWE-1321"]
Alternative ID: N/A
Finding: F390
Auto approve: 1