CVE-2020-28458: datatables.net vulnerable to Prototype Pollution due to incomplete fix
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.7512%
CWE
Published
12/17/2020
Updated
6/21/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
datatables.net | npm | < 1.10.22 | 1.10.22 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub commit diff shows the vulnerability was in _fnSetObjectDataFn
where prototype pollution checks were incomplete. The patch adds 'constructor' to the blocked property names, confirming this was the vulnerable code path. The CVE description explicitly mentions this as an incomplete fix for a previous prototype pollution issue (CVE-2020-28458
), and the function's purpose of processing object data makes it a clear vector for prototype pollution attacks when proper property validation is missing.