Miggo Logo

CVE-2020-28450: Prototype Pollution in decal

8.6

CVSS Score
3.1

Basic Information

EPSS Score
0.59908%
Published
4/13/2021
Updated
9/5/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
decalnpm<= 2.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The advisory explicitly states the vulnerability resides in the extend function.
  2. The provided code shows the extend function performs recursive object merging (lines 23-56) using a deep copy approach.
  3. The function lacks prototype pollution safeguards: it doesn't check if property names are special prototype keys (proto, constructor, prototype) when merging objects.
  4. The PoC demonstrates prototype pollution via JSON input containing proto properties, which the function copies into the target object's prototype chain.
  5. The vulnerability matches classic prototype pollution patterns where unsafe recursive merges enable pollution of base object prototypes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** ****l. T** vuln*r**ility is in t** *xt*n* *un*tion.

Reasoning

*. T** **visory *xpli*itly st*t*s t** vuln*r**ility r*si**s in t** *xt*n* *un*tion. *. T** provi*** *o** s*ows t** *xt*n* *un*tion p*r*orms r**ursiv* o*j**t m*r*in* (lin*s **-**) usin* * ***p *opy *ppro***. *. T** *un*tion l**ks prototyp* pollution s