Fix prototype pollution vulnerability in removeAttributeNS

[wasabina67]

Overview

The following issue occurred in v2.19.0 and was fixed in #55

$ npm i [email protected]
$ wget https://raw.githubusercontent.com/OrangeShieldInfos/PoCs/refs/heads/main/JavaScript/prototype-pollution/CVE-2025-57352/index.js
$ cat index.js
const clazz = require("min-document/dom-element");
let instance = new clazz();
instance.removeAttributeNS('__proto__', 'toString');
console.log({}.toString ? '':'[DELETE_TRIGGERED]');
$ node index.js
[DELETE_TRIGGERED]

However, the fix was incomplete, and the issue persists, as shown in the snippet.

$ npm i min-document
$ node index.js
[DELETE_TRIGGERED]

The prototype pollution vulnerability still exists because the namespace parameter wasn't validated before accessing this._attributes[namespace].
When namespace = "__proto__", the code evaluates this._attributes.__proto__ which references Object.prototype, allowing pollution of the prototype chain.

Solution

Add namespace validation before property access:
https://github.com/wasabina67/min-document/blob/966646172d9063f880aeaf79882edfc3a0ceaca4/dom-element.js#L129-L139

$ cat poc.js
var Document = require('./document.js');
var doc = new Document();
var el = doc.createElement('div');
el.removeAttributeNS('__proto__', 'toString');
console.log({}.toString ? '':'[DELETE_TRIGGERED]');
$ node poc.js

$

[Copilot]

Pull Request Overview

This PR adds a security check to the removeAttributeNS method to prevent prototype pollution attacks by verifying that the namespace is a direct property of the _attributes object before attempting to access it.

Key Changes

• Added an early return check using hasOwnProperty in removeAttributeNS to validate the namespace exists as a direct property
• Updated the comment to clarify the security purpose of the check

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Raynos]

2.19.2 published.

Thanks for the fix.