This week The Register reported on new findings by a group of researchers that found a critical command injection vulnerability in Parse Server, an open-source backend for Node.js environments.
New research frontier
The research team consisted of Mikhail Shcherbakov and Musard Balliu from KTH Royal Institute of Technology and Cristian-Alexandru Staicu from CISPA Helmholtz Center for Information Security. They found the flaw by creating a framework for detecting prototype pollution through a combination of static and dynamic analysis.
They describe their work in a paper titled ‘Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js‘. The paper was distributed this month and has been submitted to next year’s USENIX, a security conference.
Using their framework, which is built atop GitHub’s static analysis framework CodeQL, they said they were able to find 11 universal gadgets – existing code structures – in the code Node.js API that can potentially enable remote code execution.
They then applied their approach to 15 popular Node.js applications and identified three instances vulnerable to remote code execution via prototype pollution. One was Parse Server, two others were in the NPM CLI.