Miggo Logo
Miggo Vulnerability Database
CVE-2020-28282

CVE-2020-28282: Prototype pollution in getobject

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28282
GHSA ID
GHSA-957j-59c2-j692
EPSS Score
0.82747%
CWE
CWE-1321
Published
10/12/2021
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
getobjectnpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the set() function's handling of property paths. The function uses getParts() to split user-supplied paths and recursively traverses/creates objects. When a path contains special keywords like 'proto', it modifies the prototype chain instead of the target object. The PoC demonstrates this by polluting Object.prototype.isAdmin. The code at line 48 (obj[prop] = value) directly assigns values to the resolved property, including prototype properties. The get() function's 'create: true' parameter enables path traversal but the critical unsafe assignment occurs in set().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in '**to*j**t' v*rsion *.*.* *llows *n *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom t** s*t() *un*tion's **n*lin* o* prop*rty p*t*s. T** *un*tion us*s **tP*rts() to split us*r-suppli** p*t*s *n* r**ursiv*ly tr*v*rs*s/*r**t*s o*j**ts. W**n * p*t* *ont*ins sp**i*l k*ywor*s lik* '__proto__', it mo*i*i*s t**