Skip to content

Security: Prototype Pollution via Extension ID Manipulation#1192

Open
tomaioo wants to merge 1 commit into
asyncapi:masterfrom
tomaioo:fix/security/prototype-pollution-via-extension-id-man
Open

Security: Prototype Pollution via Extension ID Manipulation#1192
tomaioo wants to merge 1 commit into
asyncapi:masterfrom
tomaioo:fix/security/prototype-pollution-via-extension-id-man

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Security: Prototype Pollution via Extension ID Manipulation

Problem

Severity: High | File: packages/parser/src/models/v2/extensions.ts:L10

The Extensions.get() method in both v2 and v3 modifies the input id parameter by prepending x- if not present. However, it uses id = id.startsWith('x-') ? id : \x-${id}`;which mutates the parameter. More critically, theEXTENSION_REGEX in constants.ts (/^x-[\w\d.-_]+$/) allows dot characters, and the extension ID is used as a key in various object lookups. If untrusted input reaches this code with prototype pollution payloads like proto, constructor, or prototype, it could manipulate object prototypes. The regex does not prevent these special property names since protowould match afterx-` prefix is added.

Solution

Sanitize extension IDs to block prototype pollution by rejecting or escaping __proto__, constructor, and prototype keys. Consider using Object.create(null) for maps that store extension data, or use a Map instead of plain objects for extension storage.

Changes

  • packages/parser/src/models/v2/extensions.ts (modified)

The `Extensions.get()` method in both v2 and v3 modifies the input `id` parameter by prepending `x-` if not present. However, it uses `id = id.startsWith('x-') ? id : \`x-${id}\`;` which mutates the parameter. More critically, the `EXTENSION_REGEX` in constants.ts (`/^x-[\w\d.\-_]+$/`) allows dot characters, and the extension ID is used as a key in various object lookups. If untrusted input reaches this code with prototype pollution payloads like `__proto__`, `constructor`, or `prototype`, it could manipulate object prototypes. The regex does not prevent these special property names since `__proto__` would match after `x-` prefix is added.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@changeset-bot

changeset-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 27a0752

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@asyncapi-bot

Copy link
Copy Markdown
Contributor

We require all PRs to follow Conventional Commits specification.
More details 👇🏼

 Unknown release type "Security" found in pull request title "Security: Prototype Pollution via Extension ID Manipulation". 

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants