CVE-2020-7679: Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72647%
CWE
Published
5/17/2021
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
casperjs | npm | <= 1.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- Multiple sources (CVE, GHSA, Snyk) explicitly identify mergeObjects as the vulnerable function.
- The PoC demonstrates prototype pollution occurs through this function.
- The vulnerability matches CWE-1321's pattern of unsafe prototype attribute modification.
- The function's recursive merging logic likely doesn't check for prototype special properties like proto.
- File path is confirmed by GitHub advisory links to utils.js line 680 where merge logic resides.