Miggo Logo
Miggo Vulnerability Database
CVE-2020-7644

CVE-2020-7644:
Uncontrolled Resource Consumption in fun-map

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7644
GHSA ID
GHSA-p33m-7w7f-gmj8
EPSS Score
0.66811%
CWE
CWE-915
Published
12/10/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fun-mapnpm<= 3.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies assocInM as the vulnerable function. Analysis of the source code shows it uses user-controlled keys to recursively create nested objects (obj[key] = {}) without validating against special prototype properties like proto. This allows attackers to modify Object.prototype by providing a malicious key path (e.g., ['proto', 'polluted']), leading to prototype pollution. The function's structure matches classic prototype pollution patterns, and the CWE-1321 classification confirms this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*un-m*p t*rou** *.*.* is vuln*r**l* to Prototyp* Pollution. T** *un*tion *sso*InM *oul* ** tri*k** into ***in* or mo*i*yin* prop*rti*s o* 'O*j**t.prototyp*' usin* * '__proto__' p*ylo**.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s *sso*InM *s t** vuln*r**l* *un*tion. *n*lysis o* t** sour** *o** s*ows it us*s us*r-*ontroll** k*ys to r**ursiv*ly *r**t* n*st** o*j**ts (o*j[k*y] = {}) wit*out v*li**tin* ***inst sp**i*l prototyp*