Miggo Logo

CVE-2020-28270: Prototype pollution in object-hierarchy-access

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.85861%
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
object-hierarchy-accessnpm>= 0.2.0, < 0.33.00.33.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability was in the generate function's property assignment logic (CWE-1321), which lacked checks for prototype-modifying properties like 'proto'. The commit diff shows the fix added a specific check for (name === 'proto' && current[name] === Object.prototype) to prevent pollution. The 'set' function is explicitly called out in PoC examples as the attack vector that triggers the vulnerable code path. Both functions work together - set() provides the external interface to modify object hierarchies, while generate() contains the unsafe implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ov*rvi*w:Prototyp* pollution vuln*r**ility in ‘o*j**t-*i*r*r**y-****ss’ v*rsions *.*.* t*rou** *.**.* *llows *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution.

Reasoning

T** *or* vuln*r**ility w*s in t** **n*r*t* *un*tion's prop*rty *ssi*nm*nt lo*i* (*W*-****), w*i** l**k** ****ks *or prototyp*-mo*i*yin* prop*rti*s lik* '__proto__'. T** *ommit *i** s*ows t** *ix ***** * sp**i*i* ****k *or (n*m* === '__proto__' && *ur