7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7679

GHSA ID

GHSA-vrr3-5r3v-7xfw

EPSS Score

0.72647%

CWE

CWE-915

Published

5/17/2021

Updated

9/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7679

CVE-2020-7679: Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs

Overview

casperjs is a navigation scripting & testing utility for PhantomJS and SlimerJS.

Affected versions of this package are vulnerable to Prototype Pollution via the mergeObjects utility function.

PoC

var payload = JSON.parse('{"__proto__": {"a": "pwned"}}');
mergeObjects({}, payload);
console.log({}.a); // prints "pwned"

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7679

GHSA ID

GHSA-vrr3-5r3v-7xfw

EPSS Score

0.72647%

CWE

CWE-915

Published

5/17/2021

Updated

9/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
casperjs	npm	<= 1.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Multiple sources (CVE, GHSA, Snyk) explicitly identify mergeObjects as the vulnerable function.
The PoC demonstrates prototype pollution occurs through this function.
The vulnerability matches CWE-1321's pattern of unsafe prototype attribute modification.
The function's recursive merging logic likely doesn't check for prototype special properties like proto.
File path is confirmed by GitHub advisory links to utils.js line 680 where merge logic resides.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w **sp*rjs is * n*vi**tion s*riptin* & t*stin* utility *or P**ntomJS *n* Slim*rJS. *****t** v*rsions o* t*is p**k*** *r* vuln*r**l* to Prototyp* Pollution vi* t** m*r**O*j**ts utility *un*tion. ### Po* ```js v*r p*ylo** = JSON.p*rs*('{"_

Reasoning

*. Multipl* sour**s (*V*, **S*, Snyk) *xpli*itly i**nti*y m*r**O*j**ts *s t** vuln*r**l* *un*tion. *. T** Po* **monstr*t*s prototyp* pollution o**urs t*rou** t*is *un*tion. *. T** vuln*r**ility m*t***s *W*-****'s p*tt*rn o* uns*** prototyp* *ttri*ut*

7.3

Basic Information

Concerned about an active attack path?

CVE-2020-7679: Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs

Overview

PoC

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI