Miggo Logo
Miggo Vulnerability Database
CVE-2020-26245

CVE-2020-26245: Prototype Pollution in systeminformation

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-26245
GHSA ID
GHSA-4v2w-h9jm-mqjg
EPSS Score
0.77351%
CWE
CWE-78
Published
11/27/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
systeminformationnpm< 4.30.54.30.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical changes in input handling patterns: 1) In processes.js, prototype methods (replace/toLowerCase/trim) were explicitly redefined in the services function to prevent pollution. 2) network.js replaced sanitizeShellString with manual character-by-character processing. 3) internet.js added explicit prototype overrides during URL sanitization. These changes directly correlate to CWE-78 (Command Injection) and CWE-471 (Prototype Pollution), confirming these functions were vulnerable to input that could modify prototypes and execute arbitrary commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *omm*n* inj**tion vuln*r**ility *y prototyp* pollution ### P*t***s Pro*l*m w*s *ix** wit* * r*writ* o* s**ll s*nit*tions to *voi* prototyp*r pollution pro*l*ms. Pl**s* up*r*** to v*rsion >= *.**.* ### Work*roun*s I* you **nnot up*r***, *

Reasoning

T** *ommit *i** s*ows *riti**l ***n**s in input **n*lin* p*tt*rns: *) In `pro**ss*s.js`, prototyp* m*t*o*s (r*pl***/toLow*r**s*/trim) w*r* *xpli*itly r****in** in t** s*rvi**s `*un*tion` to pr*v*nt pollution. *) `n*twork.js` r*pl**** `s*nitiz*S**llSt