CVE-2020-28278: shvl vulnerable to prototype pollution
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85712%
CWE
Published
5/24/2022
Updated
2/1/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
shvl | npm | >= 1.0.0, <= 2.0.1 | 2.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly identifies the 'set()' function as the entry point
- The PoC demonstrates exploitation through shvl.set() with 'proto' in the path
- GitHub commit 513c084 shows the vulnerable pattern was fixed by adding prototype pollution checks
- CWE-1321 (Prototype Pollution) directly maps to unsafe property assignment patterns in set()
- Multiple sources (NVD, GHSA, original PR) all point to the set function as the vulnerable component
- The remediation involved modifying the set function's path validation logic