Miggo Logo
Miggo Vulnerability Database
CVE-2020-28460

CVE-2020-28460: Prototype pollution in multi-ini

5.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28460
GHSA ID
GHSA-67mq-h2r9-rh2m
EPSS Score
0.66305%
CWE
CWE-1321
Published
4/13/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
multi-ininpm< 2.1.22.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient key validation in the INI parsing logic. The commit diff shows the regex pattern REGEXP_IGNORE_KEYS was expanded from checking only proto to include 'constructor' and 'prototype'. Before this fix, the parser would process keys containing 'constructor.proto' or 'prototype', allowing prototype pollution through specially crafted INI files. The Snyk PoC demonstrates this using '[constructor] prototype.polluted' syntax. The core vulnerability exists in the key validation logic within the Parser class in parser.js that handles property assignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** multi-ini ***or* *.*.*. It is possi*l* to pollut* *n o*j**t's prototyp* *y sp**i*yin* t** *onstru*tor.proto o*j**t *s p*rt o* *n *rr*y. T*is is * *yp*ss o* *V*-****-*****.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt k*y v*li**tion in t** INI p*rsin* lo*i*. T** *ommit *i** s*ows t** r***x p*tt*rn R***XP_I*NOR*_K*YS w*s *xp*n*** *rom ****kin* only __proto__ to in*lu** '*onstru*tor' *n* 'prototyp*'. ***or* t*is *ix, t** p*r