Miggo Logo
Miggo Vulnerability Database
CVE-2020-28269

CVE-2020-28269: Prototype Pollution in field

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28269
GHSA ID
GHSA-hm82-qr45-h7mw
EPSS Score
0.85049%
CWE
CWE-915
Published
12/10/2021
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fieldnpm>= 0.0.1, <= 1.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly references the set function in field.js line 39 as the source of prototype pollution. The function's recursive property assignment logic (via moveUp helper) fails to validate if target fields are safe to modify, allowing attackers to manipulate proto properties. This matches the CWE-1321 description of prototype pollution through uncontrolled modification of prototype attributes. The provided PoC demonstrates this by modifying Object.prototype through field.set().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in '*i*l*' v*rsions *.*.* t*rou** *.*.* *llows *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly r***r*n**s t** s*t *un*tion in *i*l*.js lin* ** *s t** sour** o* prototyp* pollution. T** *un*tion's r**ursiv* prop*rty *ssi*nm*nt lo*i* (vi* mov*Up **lp*r) **ils to v*li**t* i* t*r**t *i*l*s *r* s*** to mo*