VU#458422: CASL Ability contai... Note

VU#458422: CASL Ability contains a prototype pollution vulnerability

A prototype pollution vulnerability exists in CASL Ability versions 2.4.0 through 6.7.4, specifically within the extra module's rulesToFields() function. This vulnerability stems from the setByPath() function's failure to sanitize property names. This flaw enables attackers to inject properties into object prototypes due to a lack of proper sanitization. Attackers can leverage the vulnerability to add or modify properties on an object's prototype. Consequently, attackers can manipulate the prototype chain, potentially writing to Object.prototype. This can enable arbitrary code execution within the Node.js process. The impact includes bypassing authorization, gaining unauthorized access, and manipulating application logic. Moreover, it can lead to application crashes and denial-of-service conditions. The vulnerability is especially dangerous due to the widespread use of the CASL library, posing a risk to multiple systems. The recommended solution is to upgrade to CASL Ability version 6.7.5 or later. This vulnerability was coordinated by Maor Caplan from Alma Security.