January 26, 2021

GHSL-2020-201: Prototype pollution in theia/plugin-ext

GitHub Security Lab Team

Coordinated Disclosure Timeline


Prototype pollution in mergeContents and parseConfigurationData functions.



Tested Version

Latest commit


The package contains a merge function for recursively merging two configuration objects. It does not check for problematic properties like __proto__, and hence it is vulnerable to prototype pollution. Specifically, if the target parameter to this function is under the control of an attacker, they can supply a specially crafted object that causes the function to overwrite properties on Object.prototype or add new properties to it. These properties are then inherited by every object in the program.

Here is an example, in which we assume that payload is provided by an attacker, and isAdmin is a property that is later on used to check whether a user is authorized to perform some sensitive operation:

const ConfigurationModel = require('@theia/plugin-ext/lib/plugin/preferences/configuration').ConfigurationModel;
var payload = JSON.parse('{"__proto__":{"isAdmin": true}}');
new ConfigurationModel().merge(new ConfigurationModel(payload));

After this code has run, Object.prototype.isAdmin is true. But Object.prototype is on the prototype chain of most objects, so we also have {}.isAdmin == true, and indeed u.isAdmin == true for most other objects u, including, perhaps, objects used to represent users.

We haven't been able to trace the provenance of the target parameter all the way back to its source, but looks to us like it may come from a configuration file. If that is true and a user's IDE is set up to automatically import configuration files in projects that are opened in the IDE, then an attacker can exploit the vulnerability by putting a crafted configuration file into an otherwise innocuous open-source project.

In addition, parseConfigurationData also seems to be vulnerable to prototype pollution: if data contains a property named __proto__.isAdmin, the function will overwrite the Object.prototype.isAdmin property with the value of that property.


Information Disclosure, Escalation of Privileges


This issue was discovered and reported by GitHub team member @max-schaefer (Max Schaefer).


You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-201 in any communication regarding this issue.