🐛Prototype Pollution in @cloudflare__json-schema-walker #1622
Description
Describe the bug
The @cloudflare__json-schema-walker package contains prototype pollution vulnerabilities in the schemaWalk and subschemaWalk functions. Attacker-controlled input passed as the options parameter to these functions can modify Object.prototype via proto keys (due to unsafe Object.assign operations), leading to potential unintended behavior, property injection, or breakage of dependent code.
To Reproduce
Steps to reproduce the behavior:
- Install the vulnerable version of @cloudflare__json-schema-walker (version not specified in the report, assume latest affected).
- Create a test script that imports the package and calls the affected functions with a malicious options object containing a proto key:
const schemaWalker = require('@cloudflare/json-schema-walker');
// Reproduce TP0001 (schemaWalk)
schemaWalker.schemaWalk({}, () => {}, {"__proto__": {"polluted": true}}, {});
// Reproduce TP0002 (subschemaWalk)
schemaWalker.subschemaWalk({}, '/test', () => {}, {"__proto__": {"polluted": true}}, {});- Run the test script (e.g., node test.js).
- Check if Object.prototype.polluted is set to true (confirm prototype pollution).
If it's an issue with Cloudflare Tunnel: - Tunnel ID :
- cloudflared config:
Expected behavior
The schemaWalk and subschemaWalk functions should sanitize or block proto keys in the input options parameter to prevent modification of Object.prototype. Unsafe merging of user input into internal configuration objects should be avoided, and prototype pollution attempts should be mitigated (e.g., by stripping proto keys, using safe object merging utilities, or validating input).
Environment and versions
OS: [Ubuntu 22.04]
Architecture: [e.g. ARM64]
Version: @cloudflare__json-schema-walker
Node.js Version: [e.g. 18.17.1, 20.9.0]
Logs and errors
For TP0001 (schemaWalk)
[CASE_ID=TP0001] [VULN_GLOBAL] ERROR: postFunc is not a function
For TP0002 (subschemaWalk)
[CASE_ID=TP0002] [VULN_GLOBAL] SAFE