zlacker

[parent] [thread] 5 comments
1. filear+(OP)[view] [source] 2025-12-03 17:42:09
Given that the fix appears to be to look for own properties, the attack was likely to reference prototype level module properties or the gift-that-keeps-giving the that is __proto__.
replies(3): >>mirash+KW >>harral+C71 >>mary-e+9H1
2. mirash+KW[view] [source] 2025-12-03 22:27:10
>>filear+(OP)
This comment from a dupe thread is worth considering: >>46137352
3. harral+C71[view] [source] 2025-12-03 23:34:20
>>filear+(OP)
I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript, Python and so on.

I think deserialization that relying on blacklists of properties is a dangerous game.

I think rolling your own object deserialization in a library that isn’t fully dedicated to deserialization is about as dangerous as writing your own encryption code.

replies(1): >>int_19+aV1
4. mary-e+9H1[view] [source] 2025-12-04 05:08:45
>>filear+(OP)
not `__proto__` but likely `constructor`, if you access `({}).constructor` you'd get the Object constructor, then if you access `.constructor` on that you'd get the Function constructor

the one problem I haven't understood is how it manages to perform a second call afterwards, as only being able to call Function constructor doesn't really amount to much (still a serious problem though)

◧◩
5. int_19+aV1[view] [source] [discussion] 2025-12-04 07:48:03
>>harral+C71
Only if you're deserializing into objects with behavior.
replies(1): >>ectosp+pq6
◧◩◪
6. ectosp+pq6[view] [source] [discussion] 2025-12-05 15:02:47
>>int_19+aV1
What does data in a program do apart from eventually modify behavior?
[go to top]