Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-28499

CVE-2020-28499:
Prototype Pollution in merge

7.3

CVSS Score

Basic Information

CVE ID
CVE-2020-28499
GHSA ID
GHSA-7wpw-2hjm-89gp
EPSS Score
-
CWE
CWE-915
Published
5/4/2021
Updated
2/13/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
mergenpm< 2.1.12.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies _recursiveMerge as the entry point. The GitHub commit diff shows the vulnerability was patched by adding key checks (proto, constructor, prototype) in this function. The Snyk PoC demonstrates prototype pollution occurs through recursiveMerge operations, which uses _recursiveMerge internally. The function's pre-patch behavior of recursively copying all properties without prototype chain validation matches CWE-915's pattern of improper dynamic object attribute modification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** m*r** <*.*.* *r* vuln*r**l* to Prototyp* Pollution vi* _r**ursiv*M*r** .

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s _r**ursiv*M*r** *s t** *ntry point. T** *it*u* *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* k*y ****ks (__proto__, *onstru*tor, prototyp*) in t*is *un*tion. T** Snyk Po* **monstr*t*s