Miggo Logo

CVE-2020-28458: datatables.net vulnerable to Prototype Pollution due to incomplete fix

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.7512%
Published
12/17/2020
Updated
6/21/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
datatables.netnpm< 1.10.221.10.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff shows the vulnerability was in _fnSetObjectDataFn where prototype pollution checks were incomplete. The patch adds 'constructor' to the blocked property names, confirming this was the vulnerable code path. The CVE description explicitly mentions this as an incomplete fix for a previous prototype pollution issue (CVE-2020-28458), and the function's purpose of processing object data makes it a clear vector for prototype pollution attacks when proper property validation is missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** **t*t**l*s.n*t *r* vuln*r**l* to Prototyp* Pollution *u* to *n in*ompl*t* *ix *or *ttps://snyk.io/vuln/SNYK-JS-**T*T**L*SN*T-******.

Reasoning

T** *it*u* *ommit *i** s*ows t** vuln*r**ility w*s in `_*nS*tO*j**t**t**n` w**r* prototyp* pollution ****ks w*r* in*ompl*t*. T** p*t** ***s '*onstru*tor' to t** *lo*k** prop*rty n*m*s, *on*irmin* t*is w*s t** vuln*r**l* *o** p*t*. T** *V* **s*ription