Miggo Logo
Miggo Vulnerability Database
CVE-2023-26135

CVE-2023-26135:
flatnest Prototype Pollution vulnerability

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26135
GHSA ID
GHSA-7px2-3c2p-q4v4
EPSS Score
0.23591%
CWE
CWE-1321
Published
6/30/2023
Updated
2/7/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
flatnestnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the insert() helper function in nest.js, which handles path traversal during object nesting. The pre-patch code lacked checks for prototype-pollution vectors:

  1. No validation against 'proto' key assignments
  2. No protection against 'constructor' property modifications

This is confirmed by:

  • The GitHub commit adding 'if (key === "proto") continue' and 'if (key === "constructor"...' guards
  • Test cases demonstrating pollution via these vectors
  • Multiple advisories explicitly citing nest.js as the vulnerable file
  • The vulnerability manifests when processing attacker-controlled keys through insert() during nest() operations

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** *l*tn*st *r* vuln*r**l* to Prototyp* Pollution vi* t** `n*st()` *un*tion in `*l*tn*st/n*st.js` *il*.

Reasoning

T** vuln*r**ility st*ms *rom t** ins*rt() **lp*r *un*tion in n*st.js, w*i** **n*l*s p*t* tr*v*rs*l *urin* o*j**t n*stin*. T** pr*-p*t** *o** l**k** ****ks *or prototyp*-pollution v**tors: *. No v*li**tion ***inst '__proto__' k*y *ssi*nm*nts *. No pro