Prototype pollution bug in popular Node.js library leaves web apps open to DoS, remote shell attacks

Ben Dickson 03 August 2020 at 11:58 UTCUpdated: 03 August 2020 at 13:09 UTC

Package has been downloaded seven million times, but project maintainer believes most users are unaffected



A flaw in the express-fileupload library allows hackers to stage prototype pollution attacks on Node.js servers, a security researcher has discovered.


express-fileupload, a Node.js package with more than seven million downloads, enables applications to process files uploaded in web applications.


The vulnerability, which was patched in the latest release of the library, opened the door to denial-of-service (DoS) attacks and, in some cases, remote shell access.


JavaScript, Node.js’ programming language, uses prototypes to define the functions and properties of objects. Prototype pollution attacks exploit this characteristic to manipulate the behavior of applications.


express-fileupload has a option that creates nested object structures from uploaded files. When the option is turned on, an attacker can use carefully crafted filenames in web requests to stage prototype pollution attacks.


In his blog post, researcher Beomjin Lee (AKA ‘Posix’) shows how the vulnerability can be exploited to cause the Node.js server to crash and return internal server errors on every request, leading to denial of service.


Shell access


According to Lee, the bug can also be used to attack other libraries, such as the popular EJS template engine ..

Support the originator by clicking the read the rest link below.