CVE-2020-28450: Prototype Pollution in decal
8.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59908%
CWE
Published
4/13/2021
Updated
9/5/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
decal | npm | <= 2.1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The advisory explicitly states the vulnerability resides in the extend function.
- The provided code shows the extend function performs recursive object merging (lines 23-56) using a deep copy approach.
- The function lacks prototype pollution safeguards: it doesn't check if property names are special prototype keys (proto, constructor, prototype) when merging objects.
- The PoC demonstrates prototype pollution via JSON input containing proto properties, which the function copies into the target object's prototype chain.
- The vulnerability matches classic prototype pollution patterns where unsafe recursive merges enable pollution of base object prototypes.