9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28277

GHSA ID

GHSA-q4xc-7cw8-cgfj

EPSS Score

0.84416%

CWE

CWE-1321

Published

5/24/2022

Updated

2/1/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-28277

CVE-2020-28277: dset vulnerable to prototype pollution

Overview

Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module 'dset' can be abused by Prototype Pollution vulnerability since the function ‘export ()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC

The export function accepts three arguments obj, keys, val. Due to the absence of validation, at values passed into keys, val arguments, an attacker can supply a malicious value by adjusting the keys value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned keys is the Object's own property or not, the property isAdmin will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate isAdmin the valued would be substituted as "true" as it had been polluted.

const dset = require('dset');
var obj = {}
console.log("Before : " + obj.isAdmin);
dset(obj, '__proto__.polluted', true);
console.log("After : " + obj.polluted);

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28277

GHSA ID

GHSA-q4xc-7cw8-cgfj

EPSS Score

0.84416%

CWE

CWE-1321

Published

5/24/2022

Updated

2/1/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dset	npm	>= 1.0.0, < 2.0.1	2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the dset function's handling of the 'keys' parameter. The function (exported as default in src/index.js) recursively sets nested properties without checking if intermediate keys reference the prototype chain. The provided PoC demonstrates prototype pollution by setting 'proto.polluted', and the commit diff shows the vulnerable logic was in this function. The lack of validation for prototype-related keys before property assignment is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in '*s*t' v*rsions *.*.* t*rou** *.*.* *llows *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** NPM mo*ul* '*s*t' **n ** **us** *y Prototyp* Pollution vuln*r**

Reasoning

T** vuln*r**ility st*ms *rom t** *s*t *un*tion's **n*lin* o* t** 'k*ys' p*r*m*t*r. T** *un*tion (*xport** *s ****ult in sr*/in**x.js) r**ursiv*ly s*ts n*st** prop*rti*s wit*out ****kin* i* int*rm**i*t* k*ys r***r*n** t** prototyp* ***in. T** provi***

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-28277: dset vulnerable to prototype pollution

Overview

Details

PoC

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI