Miggo Logo

CVE-2020-28278: shvl vulnerable to prototype pollution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.85712%
Published
5/24/2022
Updated
2/1/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
shvlnpm>= 1.0.0, <= 2.0.12.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly identifies the 'set()' function as the entry point
  2. The PoC demonstrates exploitation through shvl.set() with 'proto' in the path
  3. GitHub commit 513c084 shows the vulnerable pattern was fixed by adding prototype pollution checks
  4. CWE-1321 (Prototype Pollution) directly maps to unsafe property assignment patterns in set()
  5. Multiple sources (NVD, GHSA, original PR) all point to the set function as the vulnerable component
  6. The remediation involved modifying the set function's path validation logic

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in 's*vl' v*rsions *.*.* t*rou** *.*.* *llows *n *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** NPM mo*ul* 's*vl' **n ** **us** *y Prototyp* Pollution vuln*

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** 's*t()' *un*tion *s t** *ntry point *. T** Po* **monstr*t*s *xploit*tion t*rou** s*vl.s*t() wit* '__proto__' in t** p*t* *. *it*u* *ommit ******* s*ows t** vuln*r**l* p*tt*rn w*s *ix** *y ***