CVE-2020-28270: Prototype pollution in object-hierarchy-access
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85861%
CWE
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
object-hierarchy-access | npm | >= 0.2.0, < 0.33.0 | 0.33.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability was in the generate function's property assignment logic (CWE-1321), which lacked checks for prototype-modifying properties like 'proto'. The commit diff shows the fix added a specific check for (name === 'proto' && current[name] === Object.prototype) to prevent pollution. The 'set' function is explicitly called out in PoC examples as the attack vector that triggers the vulnerable code path. Both functions work together - set() provides the external interface to modify object hierarchies, while generate() contains the unsafe implementation.