Today we are releasing Ember.js 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3 to patch a security vulnerability. A CVE number is pending and this post will be updated to include it once it's been issued.
Apps that pass untrusted input as paths to EmberObject.setProperties
or EmberObject.set
, or the corresponding standalone functions setProperties
or set
, may get surprising results that, in combination with other application bugs, could lead to cross-site scripting vulnerabilities.
import EmberObject from '@ember/object';
let o = new EmberObject();
// This can lead to prototype pollution in unpatched Ember versions
o.set(untrustedPath, untrustedValue);
// This can lead to prototype pollution in unpatched Ember versions
o.setProperties({ [untrustedPath]: untrustedValue });
These methods were vulnerable to Prototype Pollution, meaning an attacker can set paths like __proto__.__proto__.isAdmin
to mutate unexpected objects, including Javascript intrinsics like the global Object
. Depending on the specifics of your application, this can be leveraged as part of an attack to steal user credentials.
While deep property chaining is an intended feature of these APIs, and passing untrusted input to them is ill-advised, we agree that that this behavior is surprising enough to constitute an increased security risk. So this release forbids chaining any set
or setProperties
through __proto__
or constructor
.
Apps on unsupported releases that cannot immediately upgrade should audit their usage of setProperties
and set
to ensure they are not allowing users to control the paths.
Thanks to Masato Kinugawa for finding and reporting this issue.