CVE-2023-26135 – CVE-2023-26135 is a prototype pollution vulnera... (How to Fix)

📋 TL;DR

CVE-2023-26135 is a prototype pollution vulnerability in the flatnest npm package that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. All versions of flatnest are affected, impacting any Node.js application using this package for object flattening/nesting operations. The vulnerability exists in the nest() function which doesn't properly validate user input.

💻 Affected Systems

Products:

flatnest npm package

Versions: All versions before the fix

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using flatnest's nest() function with untrusted input is vulnerable. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

Flatnest by Flatnest Project

View all CVEs affecting Flatnest →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior, potentially allowing privilege escalation within the application context.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only application instability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issues. Exploitation requires the application to process attacker-controlled input through the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version with commit 27d569baf9d9d25677640edeaf2d13af165868d6

Vendor Advisory: https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6

Restart Required: Yes

Instructions:

1. Update flatnest package to patched version: npm update flatnest
2. Restart your Node.js application
3. Verify the fix by checking package.json for updated version

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap flatnest.nest() calls with input validation to reject objects with __proto__ or constructor properties

// JavaScript code to wrap vulnerable function
function safeNest(input) {
  if (typeof input !== 'object' || input === null) return input;
  // Validate input doesn't contain prototype pollution keys
  const jsonStr = JSON.stringify(input);
  if (jsonStr.includes('__proto__') || jsonStr.includes('constructor')) {
    throw new Error('Invalid input: potential prototype pollution');
  }
  return flatnest.nest(input);
}

🧯 If You Can't Patch

Implement strict input validation for all data passed to flatnest.nest() function
Use object-freeze or similar techniques to prevent prototype modification in critical objects

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list flatnest | grep flatnest

Check Version:

npm list flatnest

Verify Fix Applied:

Verify the installed version contains commit 27d569b or run: npm list flatnest | grep -E 'flatnest@[0-9]+\.[0-9]+\.[0-9]+' and compare with latest version

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes, unexpected object property modifications, error logs containing 'flatnest' or 'nest' function failures

Network Indicators:

Unusual HTTP requests containing nested objects with __proto__ or constructor properties

SIEM Query:

source="application_logs" AND ("flatnest" OR "prototype" OR "__proto__") AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2023-26135

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

Published: June 30, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js%23L43 Broken Link
https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6
https://github.com/brycebaril/node-flatnest/issues/4 Exploit,Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-FLATNEST-3185149 Exploit,Third Party Advisory
https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js%23L43 Broken Link
https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6
https://github.com/brycebaril/node-flatnest/issues/4 Exploit,Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-FLATNEST-3185149 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26135, you might also want to check these: