Miggo Logo
Miggo Vulnerability Database
CVE-2020-7714

CVE-2020-7714: Prototype Pollution in confucious

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7714
GHSA ID
GHSA-fmrr-mx6j-h3h5
EPSS Score
0.60516%
CWE
CWE-1321
Published
5/6/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
confuciousnpm<= 0.0.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. All vulnerability descriptions explicitly cite the 'set' function as the entry point
  2. The PoC demonstrates pollution via confucious.set('proto:polluted', ...)
  3. Prototype pollution typically occurs in functions that recursively merge objects or handle property paths without prototype validation
  4. Multiple authoritative sources (CVE, GHSA, Snyk) concur on the vulnerable function
  5. Lack of path sanitization for proto keys in property assignment logic matches classic prototype pollution patterns

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** *on*u*ious up to *n* in*lu*in* v*rsion *.*.** *r* vuln*r**l* to Prototyp* Pollution vi* t** s*t *un*tion.

Reasoning

*. *ll vuln*r**ility **s*riptions *xpli*itly *it* t** 's*t' *un*tion *s t** *ntry point *. T** Po* **monstr*t*s pollution vi* *on*u*ious.s*t('__proto__:pollut**', ...) *. Prototyp* pollution typi**lly o**urs in *un*tions t**t r**ursiv*ly m*r** o*j**t