Miggo Logo
Miggo Vulnerability Database
CVE-2020-7768

CVE-2020-7768:
Prototype pollution in grpc and @grpc/grpc-js

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7768
GHSA ID
GHSA-pp75-xfpw-37g9
EPSS Score
0.82123%
CWE
CWE-915
Published
5/10/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
grpcnpm< 1.24.41.24.4
@grpc/grpc-jsnpm< 1.1.81.1.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability manifests in loadPackageDefinition functions in both packages, as shown by:

  1. The Snyk POC directly triggering pollution through loadPackageDefinition({'proto.polluted': true})
  2. Patch descriptions explicitly mentioning fixes to loadPackageDefinition
  3. Identical CWE-1321 (Prototype Pollution) attribution for both packages
  4. Shared mitigation pattern across both implementations (grpc@1.24.4 and @grpc/grpc-js@1.1.8 patches) These functions process user-controlled package definitions without proper prototype validation in vulnerable versions, making them the primary runtime indicators.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

"T** p**k*** *rp* ***or* *.**.* *n* t** p**k*** @*rp*/*rp*-js ***or* *.*.* *r* vuln*r**l* to Prototyp* Pollution vi* lo**P**k******inition."

Reasoning

T** *or* vuln*r**ility m*ni**sts in lo**P**k******inition *un*tions in *ot* p**k***s, *s s*own *y: *. T** Snyk PO* *ir**tly tri***rin* pollution t*rou** lo**P**k******inition({'__proto__.pollut**': tru*}) *. P*t** **s*riptions *xpli*itly m*ntionin* *