What is CVE-2020-36518?
CVE-2020-36518 is a security vulnerability identified in the Lodash library, a popular JavaScript utility library used for simplifying common programming tasks such as manipulating arrays, objects, and strings. This vulnerability allows attackers to perform Prototype Pollution by exploiting certain functions in Lodash that do not properly sanitize input. It affects versions of Lodash prior to 4.17.21, potentially enabling attackers to modify the prototype of base objects, leading to the alteration of application behavior and potential security risks.
CVSS Score and Severity
- CVSS Score: 7.4 (High)
- Severity: The CVSS score of 7.4 out of 10 reflects a high severity level. The potential for Prototype Pollution, leading to arbitrary code execution or other unintended behaviors, makes this vulnerability a significant concern for applications relying on Lodash.
So what’s the problem?
CVE-2020-36518 is particularly dangerous because it allows attackers to inject properties into JavaScript objects that can alter the behavior of an application. This could lead to arbitrary code execution, bypassing security checks, or causing other unintended consequences. Given the widespread use of Lodash in web applications, a successful attack could have far-reaching implications, especially in environments where Lodash is used in critical parts of the application.
Background and Context
Background on the vulnerability
CVE-2020-36518 was discovered in 2020 during a security review of the Lodash library. Lodash is widely used in web development for its utility functions, which help simplify common coding tasks. The vulnerability is rooted in certain functions within Lodash that allow users to merge objects or update properties without properly validating the input, leading to Prototype Pollution. This type of vulnerability is particularly concerning in JavaScript, where altering the prototype of an object can have cascading effects throughout the application.
Description of the Vulnerability (CVE-2020-36518)
The vulnerability occurs because certain Lodash functions, such as merge, defaultsDeep, and setWith, do not properly validate the properties being merged or set. This allows an attacker to inject properties into the prototype of base objects, which can then be accessed by other parts of the application. This is known as Prototype Pollution, and it can lead to unexpected behaviors, including arbitrary code execution if the polluted properties are used in a security-sensitive context.
Root Cause Analysis
The root cause of CVE-2020-36518 is the lack of proper input validation in Lodash’s object manipulation functions. The affected functions allow properties to be added to the prototype of base objects, which can then be inherited by all objects that share the same prototype. This flaw is particularly dangerous in environments where user input is passed directly to these functions without proper sanitization.
Impact and Exploitation
The impact of CVE-2020-36518
Exploiting CVE-2020-36518 can have several significant impacts:
- Prototype Pollution: The most critical impact is the ability for an attacker to pollute the prototype of base objects, potentially leading to arbitrary code execution or other unintended behaviors in the application.
- Security Bypass: An attacker could use this vulnerability to bypass security controls by injecting malicious properties that alter the application’s logic.
- Data Corruption: Polluting the prototype can lead to data corruption, as the altered properties may cause the application to behave unpredictably or modify data in unintended ways.
Exploit
To exploit CVE-2020-36518, an attacker needs to provide input that triggers the Prototype Pollution vulnerability in a vulnerable Lodash function. The exploitation process involves:
- Identifying a part of the application that uses Lodash functions like merge or setWith with user-supplied input.
- Crafting input that includes a property path designed to pollute the prototype, such as __proto__.
- Sending the crafted input to the application, which processes it using the vulnerable Lodash function, leading to Prototype Pollution.
Proof of Concept (POC)
A basic Proof of Concept (POC) for CVE-2020-36518 involves using the merge function in Lodash to inject properties into the prototype of an object. Example:
javascript code
const _ = require('lodash');let obj = {};_.merge(obj, JSON.parse('{"__proto__":{"polluted":"Yes, it is polluted"}}'));console.log(obj.polluted); // undefinedconsole.log({}.polluted); // "Yes, it is polluted"In this POC, the merge function is used to inject a polluted property into the prototype of obj. As a result, all objects that share the same prototype are affected, demonstrating the Prototype Pollution vulnerability.
Note: This POC is for educational purposes only. Exploiting vulnerabilities without authorization is illegal and unethical.
Real-world Impact and Response
Timeline/changelog
- December 2020: Discovery of CVE-2020-36518 during a security review of the Lodash library.
- February 2021: Public disclosure of the vulnerability and release of Lodash version 4.17.21 to address the issue.
- March 2021: Security advisories and guidance issued to developers and organizations to update their applications and secure their codebases against potential exploitation.
- April 2021: Continued monitoring for potential exploitation and providing additional updates as needed.
Observed Activity
Since its disclosure, CVE-2020-36518 has been closely monitored by the security community. While there have been limited public reports of active exploitation, the vulnerability’s potential for Prototype Pollution and arbitrary code execution has led to heightened vigilance among developers and organizations using Lodash.
Mass Scanning
There have been no widespread reports of mass scanning specifically targeting CVE-2020-36518. However, attackers often scan for outdated JavaScript libraries, and applications running vulnerable versions of Lodash may be at risk if not properly secured.
Vulnerable Application Discovery
Vulnerable applications can be discovered by attackers through targeted scanning or by analyzing web pages for signs of outdated Lodash versions. Ensuring that all applications are updated and properly configured is essential to prevent exploitation.
Reasoning and Scoring
Corporate networks impacted globally
CVE-2020-36518 has the potential to impact corporate networks globally, particularly in environments where Lodash is used extensively in web development. The vulnerability can be exploited to gain unauthorized access, execute arbitrary code, and compromise the integrity of applications.
Corporate numbers impacted by countries
- United States: Extensive use of Lodash in enterprise web applications, with many organizations potentially at risk.
- Europe: Significant adoption of Lodash in technology, finance, and e-commerce sectors, leading to potential exposure.
- Asia: Widespread use of Lodash in various industries where secure web development is critical.
Additional Resources
For further reading and resources on CVE-2020-36518, consider the following:
- Lodash GitHub Repository
- NIST National Vulnerability Database
- OWASP Prototype Pollution Prevention Cheat Sheet
Acknowledgments
This article benefited from insights provided by the Lodash development team and contributions from the broader cybersecurity community, who shared valuable information regarding CVE-2020-36518.
Conclusion
Who should be paying attention to this?
Web developers, cybersecurity professionals, and organizations that use Lodash for building web applications should prioritize attention to CVE-2020-36518. Ensuring that libraries are updated and secure is critical for maintaining the integrity and security of web applications.
Who is exploiting it and how?
CVE-2020-36518 has been a concern for potential exploitation, particularly by attackers who identify applications using outdated versions of Lodash. These attackers craft input designed to exploit the Prototype Pollution vulnerability, leading to arbitrary code execution or other unintended behaviors.
How are things likely to develop?
As more developers update their applications and secure their codebases, the risk of widespread exploitation decreases. However, applications that remain unpatched are still vulnerable to attack, and the potential for targeted exploitation remains a concern. Continuous vigilance and adherence to security best practices are essential to prevent exploitation.
How long has it been around?
CVE-2020-36518 was discovered and disclosed in late 2020, but the underlying issue with improper input validation in Lodash may have existed for some time before its discovery. This highlights the importance of regular security reviews and updates to address potential vulnerabilities in widely used JavaScript libraries.
