‘Not a prototype pollution vulnerability as you might normally understand it’

NodeBB, a Node.js platform for creating forum applications, has patched a prototype pollution vulnerability that could allow attackers to impersonate other users and take over administrator accounts.

The vulnerability was caused by the mishandling of JavaScript’s flexibility in changing object prototypes at runtime.

Exploiting sockets

NodeBB uses Socket.IO, a JavaScript library that allows Node.js applications to use web sockets in order to enable asynchronous, bidirectional communications between client and server and a more fluid chat experience.

However, NodeBB developers had used an object definition that could allow attackers to misuse Socket.IO’s objects. The maintainers of NodeBB told The Daily Swig that they have released only limited information about the bug to give developers some time to update their applications.


DON’T MISS Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover


However, Barış Uşaklı, one of those maintainers, did confirm that “the issue has a big impact since it allows an attacker to impersonate other users or make Socket.IO calls as an administrator”.

On a default NodeBB installation, the vulnerability could allow an unauthenticated user to obtain admin access to the application. If the instance had enabled plugins with additional checks, such as two-factor authentication, then the impact would be more limited and require authenticated access to the application.

Uşaklı said there is no evidence that the bug has been exploited in the wild. The maintainers patched the issue on the same day it was reported and on their hosted clients the next day.

Not your average prototype pollution bug

JavaScript applications are prone to prototype pollution when a carefully crafted payload – usually an input provided by users – can modify the prototype of JavaScript objects and change the application’s behavior.

However, the NodeBB bug differs from typical flaws in this bug class.

“This is not a prototype pollution vulnerability as you might normally understand it,” Stephen Bradshaw, the security researcher who discovered and reported the bug, told The Daily Swig.


RECOMMENDED Prototype pollution: The dangerous, underrated vulnerability impacting JavaScript applications


“In this case, access to the prototype of an object that was responsible for whitelisting functions run through the Socket.IO interface could be abused to modify the application’s environment in such a way that elevation of privileges was possible.”

Per agreement with NodeBB maintainers, Bradshaw has delayed publication of his write-up and full exploitation details until January.

Be careful how you declare your objects

The patch for the bug was a simple one-line modification that changed the method used to declare one of the objects.

“The main takeaway from the issue and the fix is that it is a bad idea to use a plain JavaScript object (i.e., const someObj = {};) if the properties of this object are going to be accessed by values provided by the end user,” Uşaklı said.

The silver lining is that patching NodeBB instances is fairly easy. In case developers can’t upgrade their applications to the latest version, they can cherry-pick the patch commit and just receive the security fix.

Bradshaw said that it’s important for security assessors and developers to “understand ‘weird’ features of the programming language” when coding and reviewing an application.

“Prototype inheritance in JavaScript is a prime example of this – it’s a language-specific issue that could lead to vulnerabilities, so devs writing JavaScript in particular need to be aware of it,” Bradshaw said.


RELATED Critical vulnerabilities in open source forum software NodeBB could lead to RCE