NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.