CVE-2022-29823

Feathers - Query “proto” is converted to real prototype

CVE

CVE-2022-29823

Title

Feathers - Query “__proto__” is converted to real prototype

Case

DIVD-2022-00020

Credits

Thomas Rinsma of Codean (finder)
Kevin Valk of Codean (finder)

Affected products

Product	Affected	Unaffected	Unknown
Feather js Feathers-Sequalize	>= 6.x to < 6.3.4 (custom)
Feather js Feathers-Sequalize

CVSS

Base score: 10 (CRITICAL)

References

https://csirt.divd.nl/DIVD-2022-00020 ( third-party-advisory )
https://csirt.divd.nl/CVE-2022-29823/ ( third-party-advisory )

Problem type(s)

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ("Prototype Pollution")

Date published

24 Oct 2022 22:00 UTC

Last modified

02 Jan 2024 18:32 UTC

Description

Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.

JSON version.

DIVD CSIRT

CVE-2022-29823

Feathers - Query “__proto__” is converted to real prototype

Description

Feathers - Query “proto” is converted to real prototype