Hi, we are a security team. We found a prototype pollution vulnerability in your project.
The issue affects source-map in SourceNode#setSourceContent.
The vulnerable behavior happens when the attacker-controlled source file name is used as a dynamic property key in sourceContents. If the source file name is __proto__, prototype pollution may occur.
Impact
An attacker may be able to change the prototype of the internal sourceContents object in the affected runtime.
Proof of concept
const { SourceNode } = require('source-map');
const node = new SourceNode(null, null, null, null, null);
node.setSourceContent('__proto__', { polluted: true });
console.log(node.sourceContents.polluted); // trueDetails
We confirmed the following case:
- sink:
./lib/source-node.js:304
The root cause is that untrusted source file names can flow into dynamic property writes without blocking special prototype-related keys.
Hi, we are a security team. We found a prototype pollution vulnerability in your project.
The issue affects
source-mapinSourceNode#setSourceContent.The vulnerable behavior happens when the attacker-controlled source file name is used as a dynamic property key in
sourceContents. If the source file name is__proto__, prototype pollution may occur.Impact
An attacker may be able to change the prototype of the internal
sourceContentsobject in the affected runtime.Proof of concept
Details
We confirmed the following case:
./lib/source-node.js:304The root cause is that untrusted source file names can flow into dynamic property writes without blocking special prototype-related keys.