jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
🔗 CVE IDs covered (1)
📋 Description
Summary
Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).
Affected
- Package:
jodit(npm) - Versions:
< 4.12.26 - Public API:
Jodit.modules.Helpers.set(chain, value, obj)
Proof of Concept
const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;
Impact
Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.
Patch
Fixed in 4.12.26 by rejecting any chain whose segments include __proto__, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.
Credit
Responsibly reported by Junming Wu.
🎯 Affected products1
- npm/jodit:< 4.12.26