The committers listed above are authorized under a signed CLA.

• ✅ login: JSMike / name: Mike Cebrian (f4e48a2)

Thank you

Hi Team,
Is this really a vulnerability as I was not able to really exploit it? Below is the POC code. I was not able to pollute the Prototype property of other objects.

const parser = require("./parseQuery.js")
let result = parser.parseQuery('?{a:"1",__proto__:{"isPolluted":true}}')
let result2 = parser.parseQuery('?{b:"3"}')
console.log(result)
console.log(result.isPolluted)        // True (The prototype of result has a new property isPolluted defined)
console.log(result2.isPolluted)       // Undefined (It should return true if the Prototype vulnerability exists )

Hello,
I ran into this cve/issue from work and decided to look into it as I see that many packages depend on this and was considered a CRITICAL. I agree with the comment from @dingjiedanielyang-sec saying that there was no vulnerability in the first place, because every time parseQuery runs it is creating a NEW empty/null object and populating it according to the provided string , i.e. you can't pollute something that has "nothing" in the first place. The "fix" pretty much did nothing. This maybe will have being a different story if it started with some other non-null object.

What could be a security concern is how this new object will be handled, as you can technically create one with arbitrary properties that could be malicious. However this will be up to the applications/other-packages using this as a dependency to properly "sanitize" the query/string provided and object.