CVE-2022-31106 – CVE-2022-31106 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2022-31106?

CVE-2022-31106 has a CVSS score of 8.3 (HIGH). CVE-2022-31106 is a prototype pollution vulnerability in underscore.deep library versions before 0.5.3. Attackers can craft malicious payloads to pollute object prototypes via the deepFromFlat function, potentially leading to remote code execution or denial of service. Any application using underscore.deep with deepFromFlat or deepPick functions is affected.

📋 TL;DR

CVE-2022-31106 is a prototype pollution vulnerability in underscore.deep library versions before 0.5.3. Attackers can craft malicious payloads to pollute object prototypes via the deepFromFlat function, potentially leading to remote code execution or denial of service. Any application using underscore.deep with deepFromFlat or deepPick functions is affected.

💻 Affected Systems

Products:

underscore.deep

Versions: All versions before 0.5.3

Operating Systems: All platforms running Node.js applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using deepFromFlat or deepPick functions is vulnerable regardless of configuration.

📦 What is this software?

Underscore.deep by Clever

View all CVEs affecting Underscore.deep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service, application crashes, or data corruption through prototype pollution.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing application errors.

🌐 Internet-Facing: HIGH - Web applications accepting user input that flows to vulnerable functions are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated users or internal API calls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input reaching vulnerable functions, which is common in web applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.3

Vendor Advisory: https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm

Restart Required: Yes

Instructions:

1. Update package.json to specify underscore.deep version 0.5.3 or higher. 2. Run 'npm update underscore.deep' or 'yarn upgrade underscore.deep'. 3. Restart all affected Node.js applications.

🔧 Temporary Workarounds

Input validation filter

all

Modify deepFromFlat function to reject inputs containing '__proto__', 'constructor', or 'prototype' keywords

// Add input validation in deepFromFlat function
function deepFromFlat(obj) {
  const forbidden = ['__proto__', 'constructor', 'prototype'];
  for (const key in obj) {
    if (forbidden.some(f => key.includes(f))) {
      throw new Error('Invalid input detected');
    }
  }
  // Original function logic here
}

🧯 If You Can't Patch

Implement strict input validation to reject any user input containing '__proto__', 'constructor', or 'prototype' strings
Use object-freeze or similar techniques to prevent prototype modification in critical objects

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/underscore.deep/package.json for version number below 0.5.3

Check Version:

npm list underscore.deep | grep underscore.deep

Verify Fix Applied:

Verify underscore.deep version is 0.5.3 or higher in package.json and test that deepFromFlat rejects malicious payloads

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual prototype modification errors in logs
Input validation failures for '__proto__' patterns

Network Indicators:

HTTP requests containing '__proto__', 'constructor', or 'prototype' in parameters

SIEM Query:

source="application.logs" AND ("__proto__" OR "constructor" OR "prototype") AND "underscore.deep"

📊 Metadata

CVE ID: CVE-2022-31106

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-915

Published: June 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7 Patch,Third Party Advisory
https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7 Patch,Third Party Advisory
https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31106, you might also want to check these: