A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.
An attacker supplies specially crafted input data containing reserved property names, such as '__proto__', which are passed to the addConflict function without proper sanitization. The function assigns these values directly to object properties, resulting in modification of the global JavaScript Object prototype. After prototype poisoning, all objects in the application inherit the modified properties, which can cause unexpected application behavior, processing errors, or execution of injected code at locations where the poisoned properties are later read or invoked.
An attacker can cause a denial of service (DoS), trigger unexpected application behavior, or — under favorable conditions — execute arbitrary code on the server. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction (CVSS 9.8).
Update the 'dagre-d3-es' package to version 7.0.11 or later. According to the description, the vulnerability remained unpatched at the time of disclosure — monitor the vendor's repository (https://github.com/tbo47/dagre-es/issues/52) and apply the patch immediately upon availability. As a temporary workaround, restrict the ability to pass untrusted input data to components using the 'bk' module.
The npm package 'dagre-d3-es' (Tbo47) in versions earlier than 7.0.11; the vulnerability was confirmed in version 7.0.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTbo47 Dagre D3 Es
APPTbo477.0.9