7.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-45811

GHSA ID

GHSA-jg82-xh3w-rhxx

EPSS Score

0.3278%

CWE

CWE-1321

Published

10/18/2023

Updated

11/12/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-45811

CVE-2023-45811: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

Impact

A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.

Summary

A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.

When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.

Patch

A fix has been released in deobfuscator@2.4.4.

Mitigation

Upgrade synchrony to v2.4.4
Launch node with the --disable-proto=delete or --disable-proto=throw flag

Proof of Concept

Craft a malicious input file named poc.js as follows:

// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())

// Synchrony exploit PoC
{
  var __proto__ = { parser: 'poc.js' }
}

Then, run synchrony poc.js from the same directory as the malicious file.

Credits

This vulnerability was found and disclosed by William Khem-Marquez.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-45811

CVE-2023-45811:

7.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-45811

GHSA ID

GHSA-jg82-xh3w-rhxx

EPSS Score

0.3278%

CWE

CWE-1321

Published

10/18/2023

Updated

11/12/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deobfuscator	npm	>= 2.0.1, < 2.4.4	2.4.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the LiteralMap transformer's use of prototype-inherited object storage (map: { [x: string]: { [x: string]: any } } = {}) in the demap function. This allowed attackers to pollute Object.prototype through proto properties. The proof of concept shows that setting proto.parser triggers Prettier's require() call. The fix replaced the vulnerable object with a Map (new Map<string, Map<string, any>>()), which prevents prototype chain pollution. The commit diff shows this critical change in literalmap.ts, confirming this was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-45811: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

Impact

Summary

Patch

Mitigation

Proof of Concept

Credits

CVE-2023-45811:

7.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.8

7.8

Technical Details

CVE-2023-45811: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

Impact

Summary

Patch

Mitigation

Proof of Concept

Credits

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI