hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Type
Prototype Pollution
Root Cause
The pathIntersection function in the package does not validate the format and legality of the user-input path object, and directly uses the object's length property as a dynamic property key for internal assignment operations. Attackers can forge a path-like array object and set its length attribute to proto; after this malicious value is passed into the function, the operation bounds[1][proto] = y0 is executed, directly writing properties to Array.prototype and resulting in array prototype pollution.
Exact Code Location
TP0007: package/package/lib/path-intersection.js:84
POC Verification Code
// Import the module
const lib = require('@antv/path-util');
// Construct a forged path object to trigger prototype pollution
lib.pathIntersection({ length: '__proto__', 0: ['M', 0, 0], 1: ['L', 10, 10] }, [['M', 10, 10], ['L', 20, 20]]);
// Verify array prototype pollution
const testArr = [];
console.log(testArr.polluted); // Vulnerability exists if the corresponding value is output
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Type
Prototype Pollution
Root Cause
The pathIntersection function in the package does not validate the format and legality of the user-input path object, and directly uses the object's length property as a dynamic property key for internal assignment operations. Attackers can forge a path-like array object and set its length attribute to proto; after this malicious value is passed into the function, the operation bounds[1][proto] = y0 is executed, directly writing properties to Array.prototype and resulting in array prototype pollution.
Exact Code Location
TP0007: package/package/lib/path-intersection.js:84
POC Verification Code