CVE-2020-28269: Prototype Pollution in field
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85049%
CWE
Published
12/10/2021
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
field | npm | >= 0.0.1, <= 1.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability documentation explicitly references the set function in field.js line 39 as the source of prototype pollution. The function's recursive property assignment logic (via moveUp helper) fails to validate if target fields are safe to modify, allowing attackers to manipulate proto properties. This matches the CWE-1321 description of prototype pollution through uncontrolled modification of prototype attributes. The provided PoC demonstrates this by modifying Object.prototype through field.set().