9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-28461

GHSA ID

GHSA-m939-vrfp-9v8p

EPSS Score

0.30932%

CWE

CWE-1321

Published

7/26/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-28461

CVE-2020-28461: js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-28461

CVE-2020-28461:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-28461

GHSA ID

GHSA-m939-vrfp-9v8p

EPSS Score

0.30932%

CWE

CWE-1321

Published

7/26/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
js-ini	npm	< 1.3.0	1.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the parse function handles section names in INI files. Before the patch:

When encountering a section like [proto], it would create result[currentSection] = {} without validation
Normal object initialization ({}) inherits from Object.prototype, allowing prototype pollution via proto keys
The patch added explicit checks for proto sections and introduced Object.create(null) to create prototype-less objects
The security advisory's PoC shows direct exploitation through section name manipulation
The CWE-1321 mapping confirms this is a prototype pollution vulnerability in object initialization paths

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-28461: js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

CVE-2020-28461:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

9.8

9.8

CVE-2020-28461: js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI