VU#907705: Graphql-upload-mini... Note

VU#907705: Graphql-upload-minimal has a prototype pollution vulnerability.

The graphql-upload-minimal package, version 1.6.1, contains a prototype pollution vulnerability. This vulnerability resides within the processRequest() function, which is responsible for handling file uploads. The package parses multipart/form-data requests to integrate uploaded files into GraphQL operations. The vulnerability arises because user-supplied paths for mapping files are not properly validated. Special JavaScript property names, including __proto__, can be used to traverse the prototype chain. This traversal allows attackers to modify the global Object.prototype. Altering Object.prototype affects all objects inheriting from it within the Node.js process. The consequences of this pollution can include logic corruption, denial of service, or privilege escalation. To mitigate this issue, users must upgrade to graphql-upload-minimal version 1.6.3 or a later release. The patched version implements checks to prevent the assignment of unsafe properties through the prototype chain.