A Node.js application using an Express server is the subject of a vulnerability known as prototype pollution.
This vulnerability can be exploited by hackers and enables them to inject dangerous code through the(proto).
The hacker utilises this vulnerability by manipulating the
isAdmin
field via a POST request to hijack a user’s profile.
The developer uses the non-secure
deep-extend
package to merge objects, which lacks update recognition.
Hence, the innocent
isAdmin
field becomes a dangerous backdoor for the hacker.
This case demonstrates how important it is to keep packages up-to-date and to be vigilant about potential vulnerabilities in order to protect a company’s data and infrastructure.