CVE-2020-8147: Prototype Pollution
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77213%
CWE
Published
9/3/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
utils-extend | npm | >= 0.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states the extend
function in utils-extend is vulnerable to prototype pollution. Prototype pollution vulnerabilities typically occur in object-merging functions that fail to restrict modifications to the Object prototype. Multiple authoritative sources (GitHub Advisory, NVD, HackerOne) directly attribute the vulnerability to this function. The lack of input validation for prototype-modifying properties aligns with CWE-471 (MAID) and matches the mechanics of prototype pollution attacks.