Beware! Prototype Pollution Vulnerability Found in Popular Mocking Library Mockjs

CVECVE-2023-26158
CVSScvssV3_1: 8.2
SourceCVE-2023-26158

Mockjs is a popular JavaScript library used for generating realistic mock data for development and testing purposes. However, researchers have discovered a serious vulnerability in Mockjs that could allow attackers to modify objects in dangerous ways.

The vulnerability, known as Prototype Pollution, occurs due to a missing security check in Mockjs’ Util.extend function. This function is used to merge objects together and copy their properties. However, it fails to prevent the addition of special object properties like “__proto__” from being added.

Attackers could exploit this by supplying malicious payloads to the extend function that add or modify these special prototype properties. This would allow the creation of harmful global properties that affect all objects. Things like overriding core methods or adding new methods could be done.

Most worryingly, this impacts the Mock.Handler, Mock.Random, Mock.RE.Handler and Mock.Util functions – which accept external user input. So a malicious actor could craft payloads that get processed and affect the prototype when run.

The good news is developers can patch their code as a workaround. By adding a denylist of dangerous property names to the extend function, it prevents the vulnerability from being exploitable.

All Mockjs users should upgrade to the latest version immediately after the maintainers push out a fix. And be extra careful processing any external user data. Stay safe out there!

References