CVE-2022-21824

EPSS 21.5%CWE-471

In short

The console.table() function in Node.js had a vulnerability where specially crafted input could modify the object prototype through prototype pollution, though only in a limited way by assigning empty strings to numerical keys. This could potentially affect how objects behave across an application.

Technical detail

CVE-2022-21824 exploits unsafe handling of user-controlled input in the 'properties' parameter of console.table() when combined with an object containing a '__proto__' property as the first parameter, enabling prototype pollution with restricted capability (empty string assignment to numeric prototype keys). Node.js versions >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 mitigate this by using null prototypes for affected property assignments.

Summary generated and translated by AI from the official description.

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

Affected products

NodeJS · Node

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://hackerone.com/reports/1431042 https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/https://security.netapp.com/advisory/ntap-20220325-0007/https://security.netapp.com/advisory/ntap-20220729-0004/https://www.debian.org/security/2022/dsa-5170 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html