First published: Wed Dec 18 2024(Updated: )
## Summary `jsii` is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library. When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot occur. ## Impact You may be impacted if you have written an application that loads jsii as a library, and passes untrusted user input into the `jsii.configureCategories()` function. In that case, a user can craft input in such a way that, following the invocation, a field named "category" with a user-controlled value is added to the JavaScript Object prototype. This will cause every object in the program (both new and existing) to have a field named "category", even if it shouldn't. **This will not affect jsii itself, but it might affect the application you have loaded jsii into.** > The function `jsii.configureCategories()` is used to configure the severity (error, warning, etc.) of various jsii diagnostics. **Impacted versions: <=5.7.2, <=5.6.3, <=5.5.14, <=5.4.45** **Example:** ```js const jsii = require('jsii'); // prints 'undefined' console.log(JSON.stringify({}.category)) // calling 'configureCategories' with user input jsii.configureCategories(JSON.parse('{"__proto__": "user-input"}')) // from this point onwards, every single object literal in the program // will contain the 'category' key, with user controlled value console.log(JSON.stringify({}.category)) // prints 'user-input' // this can affect the execution of the main program in case it also makes // use of an object key called 'category'. for example, if the main programs // happens to have code like this: const x = {} // some object in the main program (not necessarily empty) if (x.category) { // this block will always be executed, effectively // changing the behavior of the main program. console.log('Do something') } else { console.log('Do something else') } ``` For more information about javascript prototype pollution, see [1]. ## Patches A patch is included in versions [5.7.3](https://github.com/aws/jsii-compiler/releases/tag/v5.7.3), [5.6.4](https://github.com/aws/jsii-compiler/releases/tag/v5.6.4), [5.5.15](https://github.com/aws/jsii-compiler/releases/tag/v5.5.15), [5.4.46](https://github.com/aws/jsii-compiler/releases/tag/v5.4.46) ## Workarounds Sanitize user input to configureCategories() by stripping the __proto__ property if detected. ## References If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our issue reporting page [2] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] https://learn.snyk.io/lesson/prototype-pollution/ [2] [https://aws.amazon.com/security/issue-reporting](https://aws.amazon.com/security/vulnerability-reporting)
Affected Software | Affected Version | How to fix |
---|---|---|
npm/jsii | >=5.4.0<5.4.46 | 5.4.46 |
npm/jsii | >=5.5.0<5.5.15 | 5.5.15 |
npm/jsii | >=5.6.0<5.6.4 | 5.6.4 |
npm/jsii | >=5.7.0<5.7.3 | 5.7.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.