Miggo Logo

CVE-2022-37257: steal vulnerable to Prototype Pollution via requestedVersion variable

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.3434%
Published
9/16/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
stealnpm<= 2.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how 'requestedVersion' is processed in convertLater. The function stores callback functions using user-controlled 'requestedVersion' as an object key without prototype protection. When attackers provide malicious version strings like 'proto', they can modify the prototype chain. This matches the CWE-1321 pattern of improper prototype modification. The GitHub advisory specifically calls out 'requestedVersion' in npm-convert.js as the injection vector, and the code shows direct use of this variable in key assignment without safe property checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in *un*tion *onv*rtL*t*r in npm-*onv*rt.js in st**ljs st**l vi* t** r*qu*st**V*rsion v*ri**l* in t** npm-*onv*rt.js *il*.

Reasoning

T** vuln*r**ility st*ms *rom *ow 'r*qu*st**V*rsion' is pro**ss** in *onv*rtL*t*r. T** *un*tion stor*s **ll***k *un*tions usin* us*r-*ontroll** 'r*qu*st**V*rsion' *s *n o*j**t k*y wit*out prototyp* prot**tion. W**n *tt**k*rs provi** m*li*ious v*rsion