Boom is a Node.js package designed to simplify the creation of HTTP-friendly error responses. Versions 1.0.1 and 1.0.2 of the package share the same core functionality: providing developers with pre-formatted error objects that can be easily integrated into HTTP responses, streamlining error handling in web applications. Both versions aim to produce standardized and informative error messages, making debugging and client-side error handling more manageable.
Looking at the metadata of version 1.0.2 compared to version 1.0.1, subtle yet potentially impactful differences emerge in the declared dependencies. Version 1.0.1 specifies that it relies on any version of the hoek package within the 1.0.x range. Version 1.0.2 broadens this dependency, specifying compatibility with any version of hoek within the 1.x.x range. This indicates a widening of the dependency compatibility, suggesting the developers tested and confirmed boom 1.0.2 works flawlessly with the later versions of hoek.This seemingly small change could resolve compatibility issues for projects using more recent iterations of hoek. Both versions include lab as a dev dependency. The release date is different with the latest version being released on 2013-09-29T21:41:27.591Z
All the vulnerabilities related to the version 1.0.2 of the package
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.