Common code constructs in JavaScript may be exploitable to achieve remote code execution

This week The Register reported on new findings by a group of researchers that found a critical command injection vulnerability in Parse Server, an open-source backend for Node.js environments.

Rated 10 out of 10 on the CVSS scale of severity, the vulnerability was the result of prototype pollution, a security oversight that can be abused to hijack JavaScript code and the JavaScript-based Node.js runtime.

New research frontier

The research team consisted of Mikhail Shcherbakov and Musard Balliu from KTH Royal Institute of Technology and Cristian-Alexandru Staicu from CISPA Helmholtz Center for Information Security. They found the flaw by creating a framework for detecting prototype pollution through a combination of static and dynamic analysis.

They describe their work in a paper titled ‘Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js‘. The paper was distributed this month and has been submitted to next year’s USENIX, a security conference.

Using their framework, which is built atop GitHub’s static analysis framework CodeQL, they said they were able to find 11 universal gadgets – existing code structures – in the code Node.js API that can potentially enable remote code execution.

They then applied their approach to 15 popular Node.js applications and identified three instances vulnerable to remote code execution via prototype pollution. One was Parse Server, two others were in the NPM CLI.

One of the most common JavaScript vulnerabilities

“​​Prototype pollution is one of the most common security vulnerabilities found in JavaScript code”, said Feross Aboukhadijeh, an open-source developer and founder of security scanning service Socket, in an email to The Register. “The issue is particularly common in JavaScript because the language’s design heavily uses prototypal inheritance.”

Tip: Google positions Carbon as an experimental successor to C++