spawnor others) it calls the method
normalizeSpawnArgumentswhich a prototype pollution gadget to create new env vars:
envPairsjust by polluting the attribute
/proc/self/environ, it stores it inside argv0 of
/proc/self/environ, it requires
child_processto execute code and see if we can use any technique to force that function to execute code:
spawnneeds to be present (all methods of
child_processused to execute something calls it). In the previous example that was part of the the code, but what if the code isn't calling it.
requirewill be executed. In that scenario the attacker just needs to find a
.jsfile inside the system that will execute a spawn method when imported. Some examples of common files calling a spawn function when imported are:
require("bytes")it will require the package you polluted.
.jsfile inside the system that when required will execute something using
.jsfile that will execute something with child_process
require("bytes")) and the package doesn't contain main in the
package.jsonfile, you can pollute the
mainattribute and make the require execute a different file.
contextExtensionsfrom some methods of the
vmlibrary could be used as a gadget. However, as the previous
child_processmethods, it has been fixed in the latest versions.
optionsinstead of a
kEmptyObject. Which prevents a prototype pollution from affecting the attributes of
optionsto obtain RCE. At least from v18.4.0 this protection has been implemented, and therefore the
spawnSyncexploits affecting the methods no longer work (if no