Miggo Logo
Miggo Vulnerability Database
CVE-2020-7765

CVE-2020-7765: Uncontrolled Resource Consumption in firebase

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7765
GHSA ID
GHSA-fpm5-vv97-jfwg
EPSS Score
0.38799%
CWE
CWE-400
Published
5/18/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@firebase/utilnpm< 0.3.40.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly mentions deepExtend in DeepCopy.ts as the affected component.
  2. The GitHub commit 9cf727f shows added validation for 'proto' in deepExtend, confirming this was the vulnerable entry point.
  3. The Snyk PoC demonstrates prototype pollution via deepExtend.
  4. The CVE/NVD descriptions link the vulnerability to improper input handling in object merging logic.
  5. The patch adds an 'isValidKey' check specifically for 'proto', indicating this was the attack vector.
  6. High confidence as multiple sources (advisory, commit, CVE) directly implicate this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** @*ir***s*/util ***or* *.*.*. T*is vuln*r**ility r*l*t*s to t** ***p*xt*n* *un*tion wit*in t** ***p*opy.ts *il*. **p*n*in* on i* us*r input is provi***, *n *tt**k*r **n ov*rwrit* *n* pollut* t** o*j**t prototyp* o* * pro*r*m.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly m*ntions ***p*xt*n* in ***p*opy.ts *s t** *****t** *ompon*nt. *. T** *it*u* *ommit ******* s*ows ***** v*li**tion *or '__proto__' in ***p*xt*n*, *on*irmin* t*is w*s t** vuln*r**l* *ntry point. *. T** Snyk P