Miggo Logo
Miggo Vulnerability Database
CVE-2020-28450

CVE-2020-28450: Prototype Pollution in decal

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28450
GHSA ID
GHSA-j32x-j8pj-pg2h
EPSS Score
0.59908%
CWE
CWE-94
Published
4/13/2021
Updated
9/5/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
decalnpm<= 2.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The advisory explicitly states the vulnerability resides in the extend function.
  2. The provided code shows the extend function performs recursive object merging (lines 23-56) using a deep copy approach.
  3. The function lacks prototype pollution safeguards: it doesn't check if property names are special prototype keys (proto, constructor, prototype) when merging objects.
  4. The PoC demonstrates prototype pollution via JSON input containing proto properties, which the function copies into the target object's prototype chain.
  5. The vulnerability matches classic prototype pollution patterns where unsafe recursive merges enable pollution of base object prototypes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** ****l. T** vuln*r**ility is in t** *xt*n* *un*tion.

Reasoning

*. T** **visory *xpli*itly st*t*s t** vuln*r**ility r*si**s in t** *xt*n* *un*tion. *. T** provi*** *o** s*ows t** *xt*n* *un*tion p*r*orms r**ursiv* o*j**t m*r*in* (lin*s **-**) usin* * ***p *opy *ppro***. *. T** *un*tion l**ks prototyp* pollution s