Critical Prototype Pollution Vulnerability in Widely Used 'ini' NPM Package (Patched in v1.3.6+)

A critical security flaw, identified as prototype pollution, has been patched in the widely used `ini` npm package, a fundamental library for parsing INI configuration files across the Node.js ecosystem. The vulnerability, tracked as GHSA-qqgx-2p2h-9c37, existed in all versions prior to 1.3.6. If exploited, an attacker could submit a malicious INI file to an application using `ini.parse`, polluting the object prototype and potentially leading to remote code execution, denial of service, or other severe impacts depending on the application context.

The core of the exploit is alarmingly simple. An attacker crafts an INI file containing a `[__proto__]` section with a property like `polluted = "polluted"`. When parsed by a vulnerable version of the `ini` library, this malicious payload injects properties into the global object prototype, contaminating all objects created thereafter in the application. This type of vulnerability is particularly dangerous because it can bypass typical security controls and serve as a precursor to more complex attacks.

This patch, now included in versions 1.3.6 through 1.3.8, is a mandatory update for the vast number of projects and downstream dependencies that rely on this package. Given `ini`'s role as a basic building block in countless development stacks—from build tools to server applications—the potential attack surface is significant. Developers must immediately update their dependencies to `[email protected]` or later to mitigate this risk. The silent, pervasive nature of prototype pollution makes this a high-priority fix, as exploitation can be difficult to detect and trace after the fact.