GHSA-vpmm-x3fm-qr5c
jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
Details
### Summary `Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) `__proto__`, `constructor`, or `prototype` lets the final assignment reach and mutate `Object.prototype` (prototype pollution).
### Affected - Package: `jodit` (npm) - Versions: `< 4.12.26` - Public API: `Jodit.modules.Helpers.set(chain, value, obj)`
### Proof of Concept ```js const { Jodit } = require('jodit'); delete Object.prototype.polluted; Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {}); console.log(({}).polluted); // "yes" (before the fix) delete Object.prototype.polluted; ```
### Impact Applications that pass a user-controlled or partially user-controlled key path into `Jodit.modules.Helpers.set()` could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.
### Patch Fixed in 4.12.26 by rejecting any `chain` whose segments include `__proto__`, `constructor`, or `prototype`, reusing the same guard introduced for `Jodit.configure()` in 4.12.18.
### Credit Responsibly reported by Junming Wu.
Are you affected?
Enter the version of the package you're using.