CVE-2022-21824
📋 TL;DR
This CVE describes a prototype pollution vulnerability in Node.js's console.table() function when user-controlled input is passed to the 'properties' parameter alongside an object with '__proto__' as a property. It allows attackers to assign empty strings to numerical keys of the object prototype, potentially causing application instability or denial of service. Affected are Node.js applications using vulnerable versions that process untrusted input with console.table().
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Application crashes or denial of service due to prototype pollution corrupting object behavior, potentially leading to data loss or service disruption.
Likely Case
Limited impact - only allows assigning empty strings to numerical prototype keys, which may cause unexpected application behavior or minor instability.
If Mitigated
No impact if input validation prevents user-controlled data from reaching console.table() properties parameter or if Node.js is patched.
🎯 Exploit Status
Exploitation requires specific conditions: user input must reach console.table() properties parameter with objects containing '__proto__'. Public HackerOne report demonstrates proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js >=12.22.9, >=14.18.3, >=16.13.2, >=17.3.1
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Restart Required: Yes
Instructions:
1. Identify Node.js version with 'node --version'. 2. Update to patched version using package manager: 'npm install -g n && n latest' or 'nvm install [version] && nvm use [version]'. 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
Input validation and sanitization
allValidate and sanitize all user input before passing to console.table() function, especially the properties parameter.
Avoid console.table() with untrusted input
allRefactor code to avoid using console.table() with any user-controlled input in the properties parameter.
🧯 If You Can't Patch
- Implement strict input validation to prevent user-controlled data from reaching console.table() properties parameter
- Use application firewalls or middleware to filter requests containing suspicious console.table() usage patterns
🔍 How to Verify
Check if Vulnerable:
Check Node.js version with 'node --version' and compare against affected versions (<12.22.9, <14.18.3, <16.13.2, <17.3.1). Review code for console.table() usage with user input.Check Version:
node --versionVerify Fix Applied:
Confirm Node.js version is >=12.22.9, >=14.18.3, >=16.13.2, or >=17.3.1 using 'node --version'. Test application functionality with console.table().📡 Detection & Monitoring
Log Indicators:
- Unusual console.table() usage patterns, especially with '__proto__' in objects
- Application crashes or errors related to prototype manipulation
Network Indicators:
- Requests containing suspicious console.table() parameter patterns
SIEM Query:
source="application.logs" AND ("console.table" OR "__proto__") AND (error OR crash)🔗 References
- https://hackerone.com/reports/1431042
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220325-0007/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5170
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://hackerone.com/reports/1431042
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220325-0007/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5170
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
