Package has been downloaded seven million times, but project maintainer believes most users are unaffected

Prototype pollution bug in Node.js library leaves apps open to DoS, remote shell attacks

A flaw in the express-fileupload library allows hackers to stage prototype pollution attacks on Node.js servers, a security researcher has discovered.

express-fileupload, a Node.js package with more than seven million downloads, enables applications to process files uploaded in web applications.

The vulnerability, which was patched in the latest release of the library, opened the door to denial-of-service (DoS) attacks and, in some cases, remote shell access.

JavaScript, Node.js’ programming language, uses prototypes to define the functions and properties of objects. Prototype pollution attacks exploit this characteristic to manipulate the behavior of applications.

express-fileupload has a parseNested option that creates nested object structures from uploaded files. When the option is turned on, an attacker can use carefully crafted filenames in web requests to stage prototype pollution attacks.

In his blog post, the security researcher known as ‘Posix’ shows how the vulnerability can be exploited to cause the Node.js server to crash and return internal server errors on every request, leading to denial of service.

Shell access

According to Posix, the bug can also be used to attack other libraries, such as the popular EJS template engine, which is often used in combination with express-fileupload.

An attacker can use the express-fileupload to pollute EJS’s outputFunctionName parameter and gain shell access to the Node.js server.

“My post explains how to get a shell through EJS,” Posix told The Daily Swig, adding that such attacks are not limited to EJS. “Because the prototype pollution can change the flow of various contexts, simply adding a few referenced modules can create many possibilities for attackers.”

Read more of the latest security research news

The flaw was fixed after Posix reported it to the developers of express-fileupload. Richard Girges, who maintains the Node.js package, told The Daily Swig that the majority of the library’s users are probably unaffected by the vulnerability.

“This specific issue only applied to users who turned on the parseNested option in express-fileupload,” he explained. “This option is not on by default as it is used to address a very specific use case in how multipart requests are processed.

“As soon as we were made aware of the vulnerability, we published a fix (about 15 hours from the initial report on GitHub). We've also notated deprecation notices of prior versions of express-fileupload in the NPM registry, as this is the most efficient way to notify users of the need to upgrade the package.”

According to Posix, EJS remains vulnerable to prototype pollution attacks.

Tainted user input

“EJS does take great pains to separate data passed to templates from the options used to render the template,” Matthew Eernisse, the maintainer of the EJS library, told The Daily Swig, adding that outputFunctionName (the property exploited in Posix’s proof-of-concept) is an option and should not be settable through potentially tainted user input.

“We of course have no control over how people may choose to use EJS, and if they are passing in unsanitized, user-input data as opts, all bets are off,” he added.

Inspired by similar work done by security researcher Michał Bentkowski, Posix was using NPM module analysis to find real-world prototype pollution bugs in Node.js applications when he found the express-fileupload bug.

Vulnerabilities from JavaScript prototype or characteristics are often addressed in CTFs and other security competitions. But in the real world, very little research has been done,” Posix said.

“Polluted prototypes can affect all areas of applications independent of their scope. I think we need more research on this technology.”

RELATED Facebook offers $40k for JavaScript vulnerabilities in bug bounty program